Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LXbM8RbhLa.exe

Overview

General Information

Sample name:LXbM8RbhLa.exe
renamed because original name is a hash value
Original sample name:27fdfbc4a5388e3c43fb79d75ee2b048.exe
Analysis ID:1466592
MD5:27fdfbc4a5388e3c43fb79d75ee2b048
SHA1:8e3bbf0f0a899b8bb2eac42830081aff222a87a8
SHA256:2bf758ec68ee38fb0e7bc577e3f8f0e3be2da66e73ccfb1328b8da6a496840c9
Tags:exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LXbM8RbhLa.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\LXbM8RbhLa.exe" MD5: 27FDFBC4A5388E3C43FB79D75EE2B048)
    • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • A50C.exe (PID: 1784 cmdline: C:\Users\user\AppData\Local\Temp\A50C.exe MD5: BD2EAC64CBDED877608468D86786594A)
      • C9EB.exe (PID: 6208 cmdline: C:\Users\user\AppData\Local\Temp\C9EB.exe MD5: 60172CA946DE57C3529E9F05CC502870)
        • setup.exe (PID: 356 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)
          • GamePall.exe (PID: 4308 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2764 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2892 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 5536 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3356 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 5852 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6536 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1880 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 5340 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 6100 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 6072 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 2368 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 5504 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 6752 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 2448 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 3384 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 652 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 4204 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5028 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 2424 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3236 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5848 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 2452 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3836 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1712 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6532 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3920 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • EDA0.exe (PID: 1976 cmdline: C:\Users\user\AppData\Local\Temp\EDA0.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)
  • ervhhuc (PID: 4332 cmdline: C:\Users\user\AppData\Roaming\ervhhuc MD5: 27FDFBC4A5388E3C43FB79D75EE2B048)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x3464:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
      00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
        • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
        Click to see the 17 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.EDA0.exe.a31ee0.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          9.2.EDA0.exe.a783a0.1.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            9.2.EDA0.exe.3210000.3.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              9.2.EDA0.exe.3210000.3.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                9.2.EDA0.exe.a783a0.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 356, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\ervhhuc, CommandLine: C:\Users\user\AppData\Roaming\ervhhuc, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ervhhuc, NewProcessName: C:\Users\user\AppData\Roaming\ervhhuc, OriginalFileName: C:\Users\user\AppData\Roaming\ervhhuc, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\ervhhuc, ProcessId: 4332, ProcessName: ervhhuc

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: LXbM8RbhLa.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAvira: detection malicious, Label: HEUR/AGEN.1313486
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Found malware configuration
                  Source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
                  Source: 9.2.EDA0.exe.a783a0.1.raw.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
                  Source: A50C.exe.1784.5.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeVirustotal: Detection: 68%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeVirustotal: Detection: 9%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeReversingLabs: Detection: 16%
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeVirustotal: Detection: 37%Perma Link
                  Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeVirustotal: Detection: 11%Perma Link
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeVirustotal: Detection: 11%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: LXbM8RbhLa.exeReversingLabs: Detection: 63%
                  Source: LXbM8RbhLa.exeVirustotal: Detection: 37%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: LXbM8RbhLa.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03211C94 CryptUnprotectData,CryptProtectData,9_2_03211C94

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeUnpacked PE file: 9.2.EDA0.exe.3210000.3.unpack
                  Source: LXbM8RbhLa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000A.00000002.3863490254.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.10.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA93 source: EDA0.exe, 00000009.00000002.3375559797.0000000009CA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: EDA0.exe, 00000009.00000002.3516504541.000000000A5F3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: Del.exe.10.dr
                  Source: Binary string: ntkrnlmp.pdbx source: EDA0.exe, 00000009.00000002.3516504541.000000000A5F3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb source: EDA0.exe, 00000009.00000002.3516504541.000000000A5F3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: EDA0.exe, 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000B.00000000.3636391603.0000000000802000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000013.00000002.3802971614.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.10.dr
                  Source: Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.10.dr
                  Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3863823454.00000000004FA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Ionic.Zip.dll.10.dr
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Ionic.Zip.dll.10.dr
                  Source: Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.10.dr
                  Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb" source: EDA0.exe, 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000013.00000002.3802971614.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: EDA0.exe, 00000009.00000000.2589952729.0000000000979000.00000002.00000001.01000000.0000000B.sdmp, EDA0.exe, 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3863823454.00000000004FA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: EDA0.exe, 00000009.00000000.2589952729.0000000000979000.00000002.00000001.01000000.0000000B.sdmp, EDA0.exe, 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmp
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1420
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405B4A
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004066FF FindFirstFileA,FindClose,8_2_004066FF
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004027AA FindFirstFileA,8_2_004027AA
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_009724BD FindFirstFileExW,9_2_009724BD
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03211000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_03211000
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03214E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_03214E27
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03211D3C FindFirstFileW,FindNextFileW,9_2_03211D3C
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_032140BA FindFirstFileW,FindNextFileW,9_2_032140BA
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03213EFC FindFirstFileW,FindNextFileW,9_2_03213EFC
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 201.110.238.249 80Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: pedestriankodwu.xyz
                  Source: Malware configuration extractorURLs: towerxxuytwi.xyz
                  Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
                  Source: Malware configuration extractorURLs: penetratedpoopp.xyz
                  Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
                  Source: Malware configuration extractorURLs: contintnetksows.shop
                  Source: Malware configuration extractorURLs: foodypannyjsud.shop
                  Source: Malware configuration extractorURLs: potterryisiw.shop
                  Source: Malware configuration extractorURLs: potterryisiw.shop
                  Source: Malware configuration extractorURLs: http://evilos.cc/tmp/index.php
                  Source: Malware configuration extractorURLs: http://gebeus.ru/tmp/index.php
                  Source: Malware configuration extractorURLs: http://office-techs.biz/tmp/index.php
                  Source: Malware configuration extractorURLs: http://cx5519.com/tmp/index.php
                  Source: Malware configuration extractorURLs: 146.70.169.164:2227
                  Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                  Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                  Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                  Source: Joe Sandbox ViewIP Address: 141.8.192.126 141.8.192.126
                  Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_00905B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,9_2_00905B80
                  Source: GamePall.exe, 00000014.00000002.3925440895.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4153471532.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
                  Source: GamePall.exe, 00000014.00000002.3925440895.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4153471532.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
                  Source: GamePall.exe, 00000014.00000002.3925440895.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4153471532.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
                  Source: GamePall.exe, 0000000B.00000002.3882306701.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz/c/g
                  Source: GamePall.exe, 0000000B.00000002.3882306701.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz/c/g4
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2106288229.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: explorer.exe, 00000002.00000000.2103039182.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2106288229.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2106288229.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: log4net.xml.10.drString found in binary or memory: http://logging.apache.org/log4j
                  Source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmp, log4net.xml.10.drString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                  Source: log4net.xml.10.drString found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2&gt;
                  Source: C9EB.exe, C9EB.exe, 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmp, C9EB.exe, 00000008.00000000.2526695071.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000003.3636473223.000000000055C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000000.3346534032.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000002.3863490254.000000000040A000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                  Source: C9EB.exe, 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmp, C9EB.exe, 00000008.00000000.2526695071.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000003.3636473223.000000000055C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000000.3346534032.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000002.3863490254.000000000040A000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2106288229.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 00000002.00000000.2106288229.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: explorer.exe, 00000002.00000000.2105344774.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2105795178.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2105769555.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: GamePall.exe, 0000000B.00000002.3882306701.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/).
                  Source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/
                  Source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 00000002.00000000.2108877374.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: Ionic.Zip.dll.10.drString found in binary or memory: http://www.codeplex.com/DotNetZip
                  Source: log4net.xml.10.drString found in binary or memory: http://www.connectionstrings.com/
                  Source: log4net.xml.10.drString found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
                  Source: log4net.xml.10.drString found in binary or memory: http://www.iana.org/assignments/multicast-addresses
                  Source: GamePall.exe, 0000000E.00000002.3930740409.0000000006250000.00000002.00000001.00040000.00000020.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: C9EB.exe, 00000008.00000003.3873261962.00000000004CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat
                  Source: C9EB.exe, 00000008.00000002.3911502242.0000000000478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat(
                  Source: C9EB.exe, 00000008.00000002.3911502242.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, C9EB.exe, 00000008.00000003.3873261962.00000000004CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat:
                  Source: C9EB.exe, 00000008.00000002.3911502242.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, C9EB.exe, 00000008.00000003.3873261962.00000000004CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datG
                  Source: C9EB.exe, 00000008.00000002.3911502242.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, C9EB.exe, 00000008.00000003.3873261962.00000000004CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datl
                  Source: C9EB.exe, 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: explorer.exe, 00000002.00000000.2108450338.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                  Source: explorer.exe, 00000002.00000000.2104650017.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                  Source: explorer.exe, 00000002.00000000.2104650017.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: explorer.exe, 00000002.00000000.2103836706.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                  Source: EDA0.exe, 00000009.00000002.3349177765.00000000009FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                  Source: EDA0.exe, 00000009.00000002.3349177765.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, EDA0.exe, 00000009.00000002.3349177765.00000000009FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                  Source: GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, en-US.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, en-US.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
                  Source: et.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: et.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
                  Source: lt.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: lt.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=ltCtrl$1
                  Source: mr.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: mr.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=mrCtrl$1
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, vi.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                  Source: A50C.exe, 00000005.00000003.2477870273.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581083538.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467248279.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467792721.00000000013E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/
                  Source: A50C.exe, 00000005.00000003.2543626505.0000000001436000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578985366.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581647988.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/.
                  Source: A50C.exe, 00000005.00000003.2530059880.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2543378452.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2516775771.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2537508412.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2502164282.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/..
                  Source: A50C.exe, 00000005.00000003.2530130148.000000000143A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/6
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/E
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477894395.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2488229894.0000000001437000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477894395.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467792721.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578229537.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581083538.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2466655711.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477870273.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467248279.00000000013C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api
                  Source: A50C.exe, 00000005.00000002.2581083538.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578229537.00000000013C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apix
                  Source: A50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/bmN
                  Source: A50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/fe
                  Source: A50C.exe, 00000005.00000003.2578985366.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581647988.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/m
                  Source: A50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ob
                  Source: A50C.exe, 00000005.00000003.2477870273.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ox
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/p9
                  Source: A50C.exe, 00000005.00000003.2543626505.0000000001436000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477870273.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi
                  Source: A50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/piw
                  Source: A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/s
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/sN
                  Source: A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/w
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drString found in binary or memory: https://myactivity.google.com/
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.dr, lt.pak.10.drString found in binary or memory: https://passwords.google.com
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, en-US.pak.10.drString found in binary or memory: https://passwords.google.comGoogle
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drString found in binary or memory: https://policies.google.com/
                  Source: explorer.exe, 00000002.00000000.2108450338.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                  Source: GamePall.exe, 0000000B.00000002.3882306701.0000000002EDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://s.click.aliexpress.com/e/_DCeC8XD?dp=831901326567804928
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, lt.pak.10.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: GamePall.exe, 00000013.00000002.3754050897.0000000004DE6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
                  Source: EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                  Source: explorer.exe, 00000002.00000000.2106288229.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                  Source: explorer.exe, 00000002.00000000.2106288229.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                  Source: A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, mr.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
                  Source: et.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
                  Source: GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, en-US.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                  Source: lt.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarko
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, vi.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
                  Source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
                  Source: A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                  Source: A50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_004055E7
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03214BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,9_2_03214BA2
                  Source: GamePall.exeProcess created: 54

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000004.00000002.2408947734.0000000004340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000004.00000002.2408700708.000000000276B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401538
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,0_2_00402FE9
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DE
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401496
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401543
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401565
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401579
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040157C
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401538
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,4_2_00402FE9
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014DE
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401496
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401543
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401565
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401579
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_0040157C
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_00406A888_2_00406A88
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_009614909_2_00961490
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_0096D5159_2_0096D515
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_009747759_2_00974775
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_0096BE099_2_0096BE09
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: String function: 00960310 appears 51 times
                  Source: LXbM8RbhLa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000004.00000002.2408947734.0000000004340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000004.00000002.2408700708.000000000276B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: LXbM8RbhLa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ervhhuc.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Ionic.Zip.dll.10.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                  Source: Ionic.Zip.dll.10.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Ionic.Zip.dll.10.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                  Source: GamePall.exe.10.dr, Program.csBase64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@265/115@0/9
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,8_2_00404897
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_029DF492 CreateToolhelp32Snapshot,Module32First,0_2_029DF492
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar,8_2_00402173
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ervhhucJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeMutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A50C.tmpJump to behavior
                  Source: LXbM8RbhLa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: A50C.exe, 00000005.00000003.2467650341.00000000038A5000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2478405862.00000000038B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: LXbM8RbhLa.exeReversingLabs: Detection: 63%
                  Source: LXbM8RbhLa.exeVirustotal: Detection: 37%
                  Source: unknownProcess created: C:\Users\user\Desktop\LXbM8RbhLa.exe "C:\Users\user\Desktop\LXbM8RbhLa.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\ervhhuc C:\Users\user\AppData\Roaming\ervhhuc
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A50C.exe C:\Users\user\AppData\Local\Temp\A50C.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\C9EB.exe C:\Users\user\AppData\Local\Temp\C9EB.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\EDA0.exe C:\Users\user\AppData\Local\Temp\EDA0.exe
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A50C.exe C:\Users\user\AppData\Local\Temp\A50C.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\C9EB.exe C:\Users\user\AppData\Local\Temp\C9EB.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\EDA0.exe C:\Users\user\AppData\Local\Temp\EDA0.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dxgi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mfplat.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtworkq.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000A.00000002.3863490254.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.10.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA93 source: EDA0.exe, 00000009.00000002.3375559797.0000000009CA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: EDA0.exe, 00000009.00000002.3516504541.000000000A5F3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: Del.exe.10.dr
                  Source: Binary string: ntkrnlmp.pdbx source: EDA0.exe, 00000009.00000002.3516504541.000000000A5F3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb source: EDA0.exe, 00000009.00000002.3516504541.000000000A5F3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: EDA0.exe, 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000B.00000000.3636391603.0000000000802000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000013.00000002.3802971614.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.10.dr
                  Source: Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.10.dr
                  Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3863823454.00000000004FA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Ionic.Zip.dll.10.dr
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Ionic.Zip.dll.10.dr
                  Source: Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.10.dr
                  Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb" source: EDA0.exe, 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000013.00000002.3802971614.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: EDA0.exe, 00000009.00000000.2589952729.0000000000979000.00000002.00000001.01000000.0000000B.sdmp, EDA0.exe, 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3863823454.00000000004FA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: EDA0.exe, 00000009.00000000.2589952729.0000000000979000.00000002.00000001.01000000.0000000B.sdmp, EDA0.exe, 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeUnpacked PE file: 0.2.LXbM8RbhLa.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Roaming\ervhhucUnpacked PE file: 4.2.ervhhuc.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeUnpacked PE file: 9.2.EDA0.exe.3210000.3.unpack
                  Source: Newtonsoft.Json.dll.10.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpLp
                  Source: A50C.exe.2.drStatic PE information: section name: .vmpLp
                  Source: A50C.exe.2.drStatic PE information: section name: .vmpLp
                  Source: A50C.exe.2.drStatic PE information: section name: .vmpLp
                  Source: libEGL.dll.10.drStatic PE information: section name: .00cfg
                  Source: libEGL.dll.10.drStatic PE information: section name: .voltbl
                  Source: libGLESv2.dll.10.drStatic PE information: section name: .00cfg
                  Source: libGLESv2.dll.10.drStatic PE information: section name: .voltbl
                  Source: chrome_elf.dll.10.drStatic PE information: section name: .00cfg
                  Source: chrome_elf.dll.10.drStatic PE information: section name: .crthunk
                  Source: chrome_elf.dll.10.drStatic PE information: section name: CPADinfo
                  Source: chrome_elf.dll.10.drStatic PE information: section name: malloc_h
                  Source: libEGL.dll0.10.drStatic PE information: section name: .00cfg
                  Source: libGLESv2.dll0.10.drStatic PE information: section name: .00cfg
                  Source: libcef.dll.10.drStatic PE information: section name: .00cfg
                  Source: libcef.dll.10.drStatic PE information: section name: .rodata
                  Source: libcef.dll.10.drStatic PE information: section name: CPADinfo
                  Source: libcef.dll.10.drStatic PE information: section name: malloc_h
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_02891CF8 push 00000076h; iretd 0_2_02891CFA
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_02892EFD push B92A2F4Ch; retf 0_2_02892F02
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_02891D38 push ecx; ret 0_2_02891D39
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_029E4EE4 push edx; ret 0_2_029E4EE5
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_029E6F62 push FFFFFFFBh; iretd 0_2_029E6F78
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401CD1 push ecx; ret 4_2_00401CD2
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00401C91 push 00000076h; iretd 4_2_00401C93
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_00402E96 push B92A2F4Ch; retf 4_2_00402E9B
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_0277452C push edx; ret 4_2_0277452D
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_027765AA push FFFFFFFBh; iretd 4_2_027765C0
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_04341D38 push ecx; ret 4_2_04341D39
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_04342EFD push B92A2F4Ch; retf 4_2_04342F02
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_04341CF8 push 00000076h; iretd 4_2_04341CFA
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_0096004B push ecx; ret 9_2_0096005E
                  Source: LXbM8RbhLa.exeStatic PE information: section name: .text entropy: 7.514529236691774
                  Source: ervhhuc.2.drStatic PE information: section name: .text entropy: 7.514529236691774
                  Source: Ionic.Zip.dll.10.drStatic PE information: section name: .text entropy: 6.821349263259562
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsd7951.tmp\liteFirewall.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A50C.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeFile created: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\INetC.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeFile created: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\blowfish.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeFile created: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\nsProcess.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ervhhucJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\EDA0.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\C9EB.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ervhhucJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Deletes itself after installation
                  Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\lxbm8rbhla.exeJump to behavior
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ervhhuc:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Checks if the current machine is a virtual machine (disk enumeration)
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_9-145626
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                  Source: C:\Users\user\AppData\Roaming\ervhhucAPI/Special instruction interceptor: Address: 7FF8C88EE814
                  Source: C:\Users\user\AppData\Roaming\ervhhucAPI/Special instruction interceptor: Address: 7FF8C88ED584
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: 925B80
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: 7F4E89
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: BF7E15
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: 834080
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: 8FF069
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: 7176F5
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeAPI/Special instruction interceptor: Address: 83522F
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: LXbM8RbhLa.exe, ervhhucBinary or memory string: ASWHOOK
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2950000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4B80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2940000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2970000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 15A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3050000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5050000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2750000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1600000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4F50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2800000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: DC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1260000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1260000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2DC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 17F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3200000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3110000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1370000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3050000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3270000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3190000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: FA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2960000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4960000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: AD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1720000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 31E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 51E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 10C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 8F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2380000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4380000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2DA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1320000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4F10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 6E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2400000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2330000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: CE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2870000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 26C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2800000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2730000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1560000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 31A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1770000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1240000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4C20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1280000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4C30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 459Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1194Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 897Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3637Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 864Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 889Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd7951.tmp\liteFirewall.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\INetC.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\blowfish.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\nsProcess.dllJump to dropped file
                  Source: C:\Windows\explorer.exe TID: 5824Thread sleep time: -119400s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 5684Thread sleep time: -89700s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 5824Thread sleep time: -363700s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exe TID: 5792Thread sleep time: -210000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4144Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6632Thread sleep count: 34 > 30
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405B4A
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004066FF FindFirstFileA,FindClose,8_2_004066FF
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004027AA FindFirstFileA,8_2_004027AA
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_009724BD FindFirstFileExW,9_2_009724BD
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03211000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_03211000
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03214E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_03214E27
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03211D3C FindFirstFileW,FindNextFileW,9_2_03211D3C
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_032140BA FindFirstFileW,FindNextFileW,9_2_032140BA
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03213EFC FindFirstFileW,FindNextFileW,9_2_03213EFC
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_03212054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,9_2_03212054
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2103039182.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581083538.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477894395.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477894395.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2466655711.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467792721.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581083538.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467248279.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581083538.0000000001398000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578229537.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578229537.0000000001398000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2104650017.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: C9EB.exe, 00000008.00000002.3911502242.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, C9EB.exe, 00000008.00000003.3873261962.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0wP%SystemRoot%\system32\mswsock.dll
                  Source: explorer.exe, 00000002.00000000.2103836706.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000002.00000000.2104650017.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2104650017.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: explorer.exe, 00000002.00000000.2103836706.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: GamePall.exe, 0000000F.00000002.3846785740.0000000000D4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: GamePall.exe, 00000027.00000002.3978782048.0000000000FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: explorer.exe, 00000002.00000000.2103836706.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: EDA0.exe, 00000009.00000002.3349177765.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh>
                  Source: explorer.exe, 00000002.00000000.2103836706.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                  Source: A50C.exe, 00000005.00000003.2478590376.00000000038D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: explorer.exe, 00000002.00000000.2103039182.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeAPI call chain: ExitProcess graph end nodegraph_8-3604
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_00964383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00964383
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_02890D90 mov eax, dword ptr fs:[00000030h]0_2_02890D90
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_0289092B mov eax, dword ptr fs:[00000030h]0_2_0289092B
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeCode function: 0_2_029DED6F push dword ptr fs:[00000030h]0_2_029DED6F
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_0276E3B7 push dword ptr fs:[00000030h]4_2_0276E3B7
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_0434092B mov eax, dword ptr fs:[00000030h]4_2_0434092B
                  Source: C:\Users\user\AppData\Roaming\ervhhucCode function: 4_2_04340D90 mov eax, dword ptr fs:[00000030h]4_2_04340D90
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_00975891 GetProcessHeap,9_2_00975891
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_00964383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00964383
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_00960495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00960495
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_009606F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_009606F0
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_00960622 SetUnhandledExceptionFilter,9_2_00960622
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Benign windows process drops PE files
                  Source: C:\Windows\explorer.exeFile created: EDA0.exe.2.drJump to dropped file
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 201.110.238.249 80Jump to behavior
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeThread created: C:\Windows\explorer.exe EIP: 33419D0Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucThread created: unknown EIP: 33619D0Jump to behavior
                  LummaC encrypted strings found
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: pedestriankodwu.xyz
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: towerxxuytwi.xyz
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: ellaboratepwsz.xyz
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: penetratedpoopp.xyz
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: swellfrrgwwos.xyz
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: contintnetksows.shop
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: foodypannyjsud.shop
                  Source: A50C.exe, 00000005.00000002.2579351014.00000000003CD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: potterryisiw.shop
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\Desktop\LXbM8RbhLa.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ervhhucSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: explorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                  Source: explorer.exe, 00000002.00000000.2103463842.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                  Source: explorer.exe, 00000002.00000000.2104508358.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2103463842.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000002.00000000.2103463842.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000002.00000000.2103463842.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 00000002.00000000.2103039182.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_0096013C cpuid 9_2_0096013C
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetLocaleInfoW,9_2_0096E096
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_009750DC
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: EnumSystemLocalesW,9_2_00975051
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetLocaleInfoW,9_2_0097532F
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00975458
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetLocaleInfoW,9_2_0097555E
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00975634
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: EnumSystemLocalesW,9_2_0096DBC7
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,9_2_00974CBF
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: EnumSystemLocalesW,9_2_00974FB6
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: EnumSystemLocalesW,9_2_00974F6B
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeCode function: 9_2_0096038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_0096038F
                  Source: C:\Users\user\AppData\Local\Temp\C9EB.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: A50C.exe, 00000005.00000003.2537611087.0000000001432000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2537801608.0000000001434000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2537838179.000000000143A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: Process Memory Space: A50C.exe PID: 1784, type: MEMORYSTR
                  Yara detected Poverty Stealer
                  Source: Yara matchFile source: 9.2.EDA0.exe.a31ee0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.a783a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.3210000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.3210000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.a783a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.a31ee0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: EDA0.exe PID: 1976, type: MEMORYSTR
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: A50C.exe, 00000005.00000002.2581083538.00000000013E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                  Source: A50C.exe, 00000005.00000002.2581083538.00000000013E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                  Source: A50C.exe, 00000005.00000002.2581083538.00000000013E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                  Source: A50C.exe, 00000005.00000003.2517201953.00000000013F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                  Source: A50C.exe, 00000005.00000003.2477894395.00000000013E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\BinanceK~
                  Source: A50C.exe, 00000005.00000002.2581083538.00000000013E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                  Source: A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                  Source: A50C.exe, 00000005.00000003.2467792721.00000000013B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\EDA0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\KLIZUSIQENJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A50C.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1420
                  Source: Yara matchFile source: 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2517201953.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2530246303.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2466602842.0000000001435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2517673871.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: A50C.exe PID: 1784, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: Process Memory Space: A50C.exe PID: 1784, type: MEMORYSTR
                  Yara detected Poverty Stealer
                  Source: Yara matchFile source: 9.2.EDA0.exe.a31ee0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.a783a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.3210000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.3210000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.a783a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.EDA0.exe.a31ee0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: EDA0.exe PID: 1976, type: MEMORYSTR
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts11
                  Native API                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		111
                  Deobfuscate/Decode Files or Information                  		LSASS Memory23
                  File and Directory Discovery                  		Remote Desktop Protocol31
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		31
                  Obfuscated Files or Information                  		Security Account Manager137
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  Command and Scripting Interpreter                  		Login Hook312
                  Process Injection                  		22
                  Software Packing                  		NTDS651
                  Security Software Discovery                  		Distributed Component Object Model1
                  Clipboard Data                  		Protocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts1
                  PowerShell                  		Network Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  Timestomp                  		LSA Secrets241
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials3
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc Filesystem1
                  Remote System Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Hidden Files and Directories                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466592 Sample: LXbM8RbhLa.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for dropped file 2->116 118 11 other signatures 2->118 12 LXbM8RbhLa.exe 2->12         started        15 ervhhuc 2->15         started        process3 signatures4 152 Detected unpacking (changes PE section rights) 12->152 154 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->154 156 Maps a DLL or memory area into another process 12->156 17 explorer.exe 79 10 12->17 injected 158 Checks if the current machine is a virtual machine (disk enumeration) 15->158 160 Creates a thread in another existing process (thread injection) 15->160 162 Switches to a custom stack to bypass stack traces 15->162 process5 dnsIp6 94 201.110.238.249 UninetSAdeCVMX Mexico 17->94 96 185.68.16.7 UKRAINE-ASUA Ukraine 17->96 98 2 other IPs or domains 17->98 70 C:\Users\user\AppData\Roaming\ervhhuc, PE32 17->70 dropped 72 C:\Users\user\AppData\Local\TempDA0.exe, PE32 17->72 dropped 74 C:\Users\user\AppData\Local\Temp\C9EB.exe, PE32 17->74 dropped 76 2 other malicious files 17->76 dropped 120 System process connects to network (likely due to code injection or exploit) 17->120 122 Benign windows process drops PE files 17->122 124 Deletes itself after installation 17->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->126 22 C9EB.exe 3 35 17->22         started        26 A50C.exe 17->26         started        29 EDA0.exe 12 17->29         started        file7 signatures8 process9 dnsIp10 78 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->78 dropped 80 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->80 dropped 82 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->82 dropped 84 2 other files (none is malicious) 22->84 dropped 134 Antivirus detection for dropped file 22->134 136 Multi AV Scanner detection for dropped file 22->136 31 setup.exe 112 22->31         started        104 188.114.96.3 CLOUDFLARENETUS European Union 26->104 138 Query firmware table information (likely to detect VMs) 26->138 140 Machine Learning detection for dropped file 26->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 26->142 150 3 other signatures 26->150 106 146.70.169.164 TENET-1ZA United Kingdom 29->106 108 104.192.141.1 AMAZON-02US United States 29->108 144 Detected unpacking (creates a PE file in dynamic memory) 29->144 146 Found evasive API chain (may stop execution after checking mutex) 29->146 148 Tries to harvest and steal browser information (history, passwords, etc) 29->148 file11 signatures12 process13 file14 86 C:\Users\user\AppData\...\vulkan-1.dll, PE32 31->86 dropped 88 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 31->88 dropped 90 C:\Users\user\AppData\...\libGLESv2.dll, PE32 31->90 dropped 92 16 other files (13 malicious) 31->92 dropped 110 Antivirus detection for dropped file 31->110 35 GamePall.exe 31->35         started        signatures15 process16 dnsIp17 100 104.21.45.251 CLOUDFLARENETUS United States 35->100 128 Antivirus detection for dropped file 35->128 130 Multi AV Scanner detection for dropped file 35->130 132 Machine Learning detection for dropped file 35->132 39 GamePall.exe 35->39         started        41 GamePall.exe 35->41         started        44 GamePall.exe 35->44         started        46 5 other processes 35->46 signatures18 process19 dnsIp20 48 GamePall.exe 39->48         started        50 GamePall.exe 39->50         started        52 GamePall.exe 39->52         started        54 9 other processes 39->54 102 1.1.1.1 CLOUDFLARENETUS Australia 41->102 process21 process22 56 GamePall.exe 48->56         started        58 GamePall.exe 48->58         started        60 GamePall.exe 48->60         started        62 GamePall.exe 48->62         started        64 GamePall.exe 50->64         started        66 GamePall.exe 50->66         started        68 GamePall.exe 50->68         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  LXbM8RbhLa.exe63%ReversingLabsWin32.Trojan.SmokeLoader
                  LXbM8RbhLa.exe38%VirustotalBrowse
                  LXbM8RbhLa.exe100%AviraHEUR/AGEN.1318160
                  LXbM8RbhLa.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%AviraHEUR/AGEN.1352426
                  C:\Users\user\AppData\Local\Temp\A50C.exe100%AviraHEUR/AGEN.1313486
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Local\Temp\C9EB.exe100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\A50C.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\EDA0.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat6%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\A50C.exe50%ReversingLabsWin32.Trojan.Smokeloader
                  C:\Users\user\AppData\Local\Temp\A50C.exe69%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\C9EB.exe21%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\C9EB.exe9%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\EDA0.exe16%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\EDA0.exe38%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\nsd7951.tmp\liteFirewall.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsd7951.tmp\liteFirewall.dll0%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\nsyC940.tmp\INetC.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsyC940.tmp\INetC.dll1%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\nsyC940.tmp\blowfish.dll5%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsyC940.tmp\blowfish.dll3%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\nsyC940.tmp\nsProcess.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsyC940.tmp\nsProcess.dll0%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Temp\setup.exe6%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe11%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe3%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe11%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe3%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll1%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll3%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll0%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://gebeus.ru/tmp/index.phptrue
                    http://cx5519.com/tmp/index.phptrue
                      contintnetksows.shoptrue
                        http://evilos.cc/tmp/index.phptrue
                          ellaboratepwsz.xyztrue
                            swellfrrgwwos.xyztrue
                              foodypannyjsud.shoptrue
                                pedestriankodwu.xyztrue
                                  towerxxuytwi.xyztrue

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://duckduckgo.com/chrome_newtabA50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        https://duckduckgo.com/ac/?q=A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://foodypannyjsud.shop/sA50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmpfalse
                                            https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?umr.pak.10.drfalse
                                              https://foodypannyjsud.shop/wA50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://support.google.com/chrome/answer/6098869setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                                                  http://xiexie.wf/22_551/huge.dat(C9EB.exe, 00000008.00000002.3911502242.0000000000478000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, mr.pak.10.drfalse
                                                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmp, log4net.xml.10.drfalse
                                                          https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?uet.pak.10.drfalse
                                                            https://chrome.google.com/webstore?hl=etCtrl$1et.pak.10.drfalse
                                                              https://excel.office.comexplorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                https://chrome.google.com/webstore?hl=urCtrl$2setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drfalse
                                                                  https://foodypannyjsud.shop/mA50C.exe, 00000005.00000003.2578985366.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581647988.0000000001440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drfalse
                                                                      https://foodypannyjsud.shop/piwA50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://chrome.google.com/webstore?hl=ltCtrl$1lt.pak.10.drfalse
                                                                          https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                                                                            https://passwords.google.comsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.dr, lt.pak.10.drfalse
                                                                              https://aui-cdn.atlassian.com/EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                http://www.iana.org/assignments/multicast-addresseslog4net.xml.10.drfalse
                                                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.2108450338.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwdC9EB.exe, 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpfalse
                                                                                      https://foodypannyjsud.shop/EA50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGamePall.exe, 0000000B.00000002.3882306701.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            http://bageyou.xyzGamePall.exe, 00000014.00000002.3925440895.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4153471532.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drfalse
                                                                                                https://bitbucket.org/EDA0.exe, 00000009.00000002.3349177765.00000000009FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.2108877374.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    http://www.connectionstrings.com/log4net.xml.10.drfalse
                                                                                                      https://support.google.com/chromebook?p=app_intentsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drfalse
                                                                                                        https://foodypannyjsud.shop/6A50C.exe, 00000005.00000003.2530130148.000000000143A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          https://foodypannyjsud.shop/p9A50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://foodypannyjsud.shop/apixA50C.exe, 00000005.00000002.2581083538.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578229537.00000000013C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uGamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, en-US.pak.10.drfalse
                                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    https://foodypannyjsud.shop/obA50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      http://ocsp.rootca1.amazontrust.com0:A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        https://chrome.google.com/webstore?hl=mrCtrl$1mr.pak.10.drfalse
                                                                                                                          http://nsis.sf.net/NSIS_ErrorErrorC9EB.exe, 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmp, C9EB.exe, 00000008.00000000.2526695071.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000003.3636473223.000000000055C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000000.3346534032.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000002.3863490254.000000000040A000.00000004.00000001.01000000.0000000D.sdmpfalse
                                                                                                                            https://www.google.com/chrome/privacy/eula_text.html&setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drfalse
                                                                                                                              http://logging.apache.org/log4jlog4net.xml.10.drfalse
                                                                                                                                https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?ult.pak.10.drfalse
                                                                                                                                  https://www.google.com/chrome/privacy/eula_text.htmlT&rsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, vi.pak.10.drfalse
                                                                                                                                    https://www.ecosia.org/newtab/A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      http://xiexie.wf/22_551/huge.datC9EB.exe, 00000008.00000003.3873261962.00000000004CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        https://outlook.comexplorer.exe, 00000002.00000000.2106288229.0000000009BAD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brA50C.exe, 00000005.00000003.2490761227.00000000039CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://foodypannyjsud.shop/bmNA50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              https://foodypannyjsud.shop/.A50C.exe, 00000005.00000003.2543626505.0000000001436000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578985366.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581647988.0000000001440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeeEDA0.exe, 00000009.00000002.3349177765.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, EDA0.exe, 00000009.00000002.3349177765.00000000009FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldabet.pak.10.drfalse
                                                                                                                                                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                                                                                                                                                      http://nsis.sf.net/NSIS_ErrorC9EB.exe, C9EB.exe, 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmp, C9EB.exe, 00000008.00000000.2526695071.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000003.3636473223.000000000055C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000000.3346534032.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000002.3863490254.000000000040A000.00000004.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                        https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          https://chrome.google.com/webstore?hl=ukCtrl$1setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2104650017.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              http://api.install-stat.debug.world/clients/installsGamePall.exe, 00000014.00000002.3925440895.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4153471532.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://cdn.cookielaw.org/EDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refA50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://support.google.com/chrome/a/answer/9122284setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, lt.pak.10.drfalse
                                                                                                                                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477A50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://foodypannyjsud.shop/feA50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://foodypannyjsud.shop/..A50C.exe, 00000005.00000003.2530059880.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2543378452.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2516775771.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2537508412.0000000001465000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2502164282.0000000001463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://chrome.google.com/webstore?hl=zh-CNCtrl$1setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1GamePall.exe, 00000013.00000002.3754050897.0000000004DE6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmpfalse
                                                                                                                                                                                    https://word.office.comonexplorer.exe, 00000002.00000000.2106288229.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://www.unicode.org/copyright.htmlGamePall.exe, 0000000E.00000002.3930740409.0000000006250000.00000002.00000001.00040000.00000020.sdmpfalse
                                                                                                                                                                                        https://powerpoint.office.comcemberexplorer.exe, 00000002.00000000.2108450338.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiA50C.exe, 00000005.00000003.2491514090.0000000001435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarkolt.pak.10.drfalse
                                                                                                                                                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=A50C.exe, 00000005.00000003.2468004802.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467594733.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467650341.00000000038D6000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3319489987.0000000009C6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  http://bageyou.xyz/c/gGamePall.exe, 0000000B.00000002.3882306701.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    http://schemas.microexplorer.exe, 00000002.00000000.2105344774.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2105795178.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2105769555.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                                                                      http://api.install-stat.debug.world/clients/activityGamePall.exe, 00000014.00000002.3925440895.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000017.00000002.4153471532.0000000003201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://chrome.google.com/webstore?hl=zh-TWCtrl$1setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://www.apache.org/).GamePall.exe, 00000013.00000002.3742440555.0000000004DA2000.00000002.00000001.01000000.00000011.sdmpfalse
                                                                                                                                                                                                            https://foodypannyjsud.shop/apiA50C.exe, 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517446422.000000000143C000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2502350194.0000000001437000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477894395.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2488229894.0000000001437000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517153727.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477894395.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467792721.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2578229537.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000002.2581083538.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2530083380.0000000001440000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2466655711.00000000013C0000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2477870273.0000000001435000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2517327053.0000000001438000.00000004.00000020.00020000.00000000.sdmp, A50C.exe, 00000005.00000003.2467248279.00000000013C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://myactivity.google.com/setup.exe, 0000000A.00000002.3864526388.000000000273B000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.dr, vi.pak.10.drfalse
                                                                                                                                                                                                                https://foodypannyjsud.shop/oxA50C.exe, 00000005.00000003.2477870273.0000000001435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://remote-app-switcher.prod-east.frontend.public.atl-paas.netEDA0.exe, 00000009.00000003.3141851283.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    http://x1.c.lencr.org/0A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://x1.i.lencr.org/0A50C.exe, 00000005.00000003.2488780396.00000000038BE000.00000004.00000800.00020000.00000000.sdmp, EDA0.exe, 00000009.00000003.3334280878.000000000A677000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedGamePall.exe, 0000000C.00000002.4131655441.0000000005620000.00000002.00000001.00040000.00000021.sdmp, en-US.pak.10.drfalse

                                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                          1.1.1.1
                                                                                                                                                                                                                          		unknownAustralia
                                                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                          104.192.141.1
                                                                                                                                                                                                                          		unknownUnited States
                                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                                          141.8.192.126
                                                                                                                                                                                                                          		unknownRussian Federation
                                                                                                                                                                                                                          		35278SPRINTHOSTRUtrue
                                                                                                                                                                                                                          188.114.96.3
                                                                                                                                                                                                                          		unknownEuropean Union
                                                                                                                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                          104.21.45.251
                                                                                                                                                                                                                          		unknownUnited States
                                                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                          185.68.16.7
                                                                                                                                                                                                                          		unknownUkraine
                                                                                                                                                                                                                          		200000UKRAINE-ASUAtrue
                                                                                                                                                                                                                          201.110.238.249
                                                                                                                                                                                                                          		unknownMexico
                                                                                                                                                                                                                          		8151UninetSAdeCVMXtrue
                                                                                                                                                                                                                          146.70.169.164
                                                                                                                                                                                                                          		unknownUnited Kingdom
                                                                                                                                                                                                                          		2018TENET-1ZAtrue

                                                                                                                                                                                                                          Private

                                                                                                                                                                                                                          IP
                                                                                                                                                                                                                          127.0.0.127

                                                                                                                                                                                                                          General Information

                                                                                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                          Analysis ID:1466592
                                                                                                                                                                                                                          Start date and time:2024-07-03 07:45:04 +02:00
                                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                          Overall analysis duration:0h 17m 24s
                                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                          Number of analysed new started processes analysed:39
                                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                                          Number of injected processes analysed:1
                                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                                          Sample name:LXbM8RbhLa.exe
                                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                                          Original Sample Name:27fdfbc4a5388e3c43fb79d75ee2b048.exe
                                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@265/115@0/9
                                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                                          • Successful, ratio: 80%
                                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                                          • Successful, ratio: 55%
                                                                                                                                                                                                                          • Number of executed functions: 117
                                                                                                                                                                                                                          • Number of non-executed functions: 82
                                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                                          • Connection to analysis system has been lost, crash info: Unknown
                                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                                          • Execution Graph export aborted for target A50C.exe, PID 1784 because there are no executed function
                                                                                                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                          • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                                          01:46:09API Interceptor139212x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                          01:46:35API Interceptor9x Sleep call for process: A50C.exe modified
                                                                                                                                                                                                                          01:48:38API Interceptor1x Sleep call for process: GamePall.exe modified
                                                                                                                                                                                                                          07:46:18Task SchedulerRun new task: Firefox Default Browser Agent 6F2C56242104E097 path: C:\Users\user\AppData\Roaming\ervhhuc
                                                                                                                                                                                                                          07:48:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          07:48:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                                          IPs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          1.1.1.1PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                                                                                                                                          • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                                                                                                                                                          AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 1.1.1.1/
                                                                                                                                                                                                                          INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                          • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                                                                                                                                                                                                                          Go.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 1.1.1.1/
                                                                                                                                                                                                                          104.192.141.1A662vmc5co.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
                                                                                                                                                                                                                          lahPWgosNP.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                          • bitbucket.org/alex222111/testproj/downloads/s7.exe
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets
                                                                                                                                                                                                                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets
                                                                                                                                                                                                                          Paid invoice.ppaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
                                                                                                                                                                                                                          PO#1487958_10.ppaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
                                                                                                                                                                                                                          Purchase Inquiry_pdf.ppaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                                                                                                                                                                                                                          Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                                                                                                                                                                                                                          141.8.192.126http://a0748987.xsph.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • a0748987.xsph.ru/favicon.ico

                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          http://differentia.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                                                          Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                                                          Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.64.152.241
                                                                                                                                                                                                                          roger.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • 172.67.74.152
                                                                                                                                                                                                                          https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                                                          https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.21.55.70
                                                                                                                                                                                                                          SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 104.21.45.251
                                                                                                                                                                                                                          37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                                                                          SPRINTHOSTRUfile.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 141.8.192.126
                                                                                                                                                                                                                          SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 141.8.192.126
                                                                                                                                                                                                                          37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 141.8.192.126
                                                                                                                                                                                                                          OBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 141.8.192.126
                                                                                                                                                                                                                          SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 141.8.192.126
                                                                                                                                                                                                                          https://kawak.com.coGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 185.251.91.91
                                                                                                                                                                                                                          S#U0435tup.exeGet hashmaliciousCopperShrimpBrowse
                                                                                                                                                                                                                          • 185.185.70.98
                                                                                                                                                                                                                          S#U0435tup.exeGet hashmaliciousCopperShrimpBrowse
                                                                                                                                                                                                                          • 185.185.70.98
                                                                                                                                                                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                                          • 141.8.192.6
                                                                                                                                                                                                                          https://www.asarco.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 185.251.91.91
                                                                                                                                                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          http://differentia.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                                                          Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                                                          Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.64.152.241
                                                                                                                                                                                                                          roger.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • 172.67.74.152
                                                                                                                                                                                                                          https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                                                          https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.21.55.70
                                                                                                                                                                                                                          SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 104.21.45.251
                                                                                                                                                                                                                          37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          http://differentia.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 1.1.1.1
                                                                                                                                                                                                                          Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • 104.26.13.205
                                                                                                                                                                                                                          Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 172.64.152.241
                                                                                                                                                                                                                          roger.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          • 172.67.74.152
                                                                                                                                                                                                                          https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 188.114.97.3
                                                                                                                                                                                                                          https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.21.55.70
                                                                                                                                                                                                                          SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 104.21.45.251
                                                                                                                                                                                                                          37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 172.67.221.174
                                                                                                                                                                                                                          https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                                                                          AMAZON-02USwatchdog.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                          • 54.97.145.12
                                                                                                                                                                                                                          spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                          • 54.103.155.145
                                                                                                                                                                                                                          watchdog.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                          • 52.89.222.207
                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 104.192.141.1
                                                                                                                                                                                                                          https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 52.222.236.94
                                                                                                                                                                                                                          SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 104.192.141.1
                                                                                                                                                                                                                          37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                                                                                                                                                                          • 185.166.143.48
                                                                                                                                                                                                                          https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 13.224.189.122
                                                                                                                                                                                                                          https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 108.156.2.28
                                                                                                                                                                                                                          http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          • 18.239.94.85

                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):107232830
                                                                                                                                                                                                                          Entropy (8bit):7.999946456161068
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                                                                                                                                                                                          MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                          SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                                                                                                                                                                                          SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                                                                                                                                                                                          SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 6%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\A50C.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):6642176
                                                                                                                                                                                                                          Entropy (8bit):7.866419732571782
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
                                                                                                                                                                                                                          MD5:BD2EAC64CBDED877608468D86786594A
                                                                                                                                                                                                                          SHA1:778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
                                                                                                                                                                                                                          SHA-256:CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                                                                                                                                                                                                                          SHA-512:3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 69%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\C9EB.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):293869
                                                                                                                                                                                                                          Entropy (8bit):5.61569579822855
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
                                                                                                                                                                                                                          MD5:60172CA946DE57C3529E9F05CC502870
                                                                                                                                                                                                                          SHA1:DE8F59D6973A5811BB10A9A4410801FA63BC8B56
                                                                                                                                                                                                                          SHA-256:42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                                                                                                                                                                                                                          SHA-512:15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 9%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\EDA0.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):578048
                                                                                                                                                                                                                          Entropy (8bit):6.297510031778876
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
                                                                                                                                                                                                                          MD5:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                                                                                                                                                                                          SHA1:7CC975D9FF785E269163897907D0B9B3CEE29956
                                                                                                                                                                                                                          SHA-256:544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
                                                                                                                                                                                                                          SHA-512:D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 38%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsd7951.tmp\liteFirewall.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):82944
                                                                                                                                                                                                                          Entropy (8bit):6.389604568119155
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                                                                                                                                                                                          MD5:165E1EF5C79475E8C33D19A870E672D4
                                                                                                                                                                                                                          SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                                                                                                                                                                                          SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                                                                                                                                                                                          SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nskBC1.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):358363995
                                                                                                                                                                                                                          Entropy (8bit):6.972150585647623
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
                                                                                                                                                                                                                          MD5:5F9D89B40243E83C0B48206CE4EB77D1
                                                                                                                                                                                                                          SHA1:477A019AB11E5793168B3E41D83B80A8AC8F1D43
                                                                                                                                                                                                                          SHA-256:2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
                                                                                                                                                                                                                          SHA-512:5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nstC920.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60466
                                                                                                                                                                                                                          Entropy (8bit):5.603640719549413
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:akqg31kqY3Q4Oc//////Q0LatojW/lX1Xb41:3qg323Sc//////Q3tojW/XXy
                                                                                                                                                                                                                          MD5:DE806154A80E3916669C466B6D001BD6
                                                                                                                                                                                                                          SHA1:B85BD0EC436125772A9C5403162628B7AAB35F49
                                                                                                                                                                                                                          SHA-256:10D9B7F2238EFFEB71990F979B9DFE4F3BE3D212B05232EF34C39F9578CC11E3
                                                                                                                                                                                                                          SHA-512:63CC5D6865C89AE2C41EEE3C76FD865D9461E96DBC570270982EB6DB5A15FB234098286CEE3FF9DB2255FEDA5207A222AB67743475AD60CCFD89A86B881BCB94
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:",......,..................."...|%......H+......",..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsyC940.tmp\INetC.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22016
                                                                                                                                                                                                                          Entropy (8bit):5.668346578219837
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                                                                                                                                                                                          MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                                                                                                                                                                                          SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                                                                                                                                                                                          SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                                                                                                                                                                                          SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsyC940.tmp\blowfish.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22528
                                                                                                                                                                                                                          Entropy (8bit):6.674611218414922
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                                                                                                                                                                                          MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                                                                                                                                                                                          SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                                                                                                                                                                                          SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                                                                                                                                                                                          SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsyC940.tmp\nsProcess.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4608
                                                                                                                                                                                                                          Entropy (8bit):4.666004851298707
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                                                                                                                                                                                          MD5:FAA7F034B38E729A983965C04CC70FC1
                                                                                                                                                                                                                          SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                                                                                                                                                                                          SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                                                                                                                                                                                          SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\setup.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):107232830
                                                                                                                                                                                                                          Entropy (8bit):7.999946456161068
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                                                                                                                                                                                          MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                          SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                                                                                                                                                                                          SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                                                                                                                                                                                          SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 6%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                          MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                          SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                          SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                          SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012096502606932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsEllllkXl:/M/6
                                                                                                                                                                                                                          MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                                                                                                                                                                                          SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                                                                                                                                                                                          SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                                                                                                                                                                                          SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                          MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                          SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                          SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                          SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                          MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                          SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                          SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                          SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):262512
                                                                                                                                                                                                                          Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:LsNl3eca/:Ls3O
                                                                                                                                                                                                                          MD5:C8F648B12741F94D8FE19A3572F24E6C
                                                                                                                                                                                                                          SHA1:3E232A7CB0E0E23927C47A2599500BF4429CC8A1
                                                                                                                                                                                                                          SHA-256:237C751D1B68B701BFBB84AB9B6C129EE8224D7784BF71D023BACB7E74BD3518
                                                                                                                                                                                                                          SHA-512:452F85698BD90F152538B6C4BC904EAD0E4645872D9BBB165BBEA2F947FD6496527BFA1ED385950FFC4F5B225785185909A6AC242AA81E241C0306DB92E0FCBA
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.............................................z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Del.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):4.622398838808078
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                                                                                                                                                                                                                          MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                                                                                                                                                                                          SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                                                                                                                                                                                          SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                                                                                                                                                                                          SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 7%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 11%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                          MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                          SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                          SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                          SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012096502606932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsEllllkXl:/M/6
                                                                                                                                                                                                                          MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                                                                                                                                                                                          SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                                                                                                                                                                                          SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                                                                                                                                                                                          SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                          MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                          SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                          SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                          SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                          MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                          SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                          SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                          SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):262512
                                                                                                                                                                                                                          Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:LsNlva/:Ls3
                                                                                                                                                                                                                          MD5:816890C754BD219F234E076B4D533E4B
                                                                                                                                                                                                                          SHA1:8F52904B04218EE29A6CFFFB27EC5B2E1593AFE5
                                                                                                                                                                                                                          SHA-256:14AA944BBA4D597B2DFB6CEFED8E1A015E4BAE9440EC73D7726AB7F9093FEFD5
                                                                                                                                                                                                                          SHA-512:1116F1E7BD95093F29ADB895DEDACF1A4C6A1838E6D9C2054743185FCF0D9024C4412BD9F70F89FDD1CBBF182FFF2012917258419910BD4246ED057E5732C23D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................................9....z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):296448
                                                                                                                                                                                                                          Entropy (8bit):5.660420770467009
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
                                                                                                                                                                                                                          MD5:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          SHA1:DA0D16BC66614C7D273C47F321C5EE0652FB5575
                                                                                                                                                                                                                          SHA-256:B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
                                                                                                                                                                                                                          SHA-512:258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 11%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):462336
                                                                                                                                                                                                                          Entropy (8bit):6.803831500359682
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                                                                                                                                                                                                                          MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                                                                                                                                                                                          SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                                                                                                                                                                                          SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                                                                                                                                                                                          SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):574376
                                                                                                                                                                                                                          Entropy (8bit):5.8881470355864725
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                                                                                                                                                                                                                          MD5:8F81C9520104B730C25D90A9DD511148
                                                                                                                                                                                                                          SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                                                                                                                                                                                          SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                                                                                                                                                                                          SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):561424
                                                                                                                                                                                                                          Entropy (8bit):4.606896607960262
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                                                                                                                                                                                                                          MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                                                                                                                                                                                          SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                                                                                                                                                                                          SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                                                                                                                                                                                          SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):215862
                                                                                                                                                                                                                          Entropy (8bit):5.849338245796311
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
                                                                                                                                                                                                                          MD5:9D21A25AA1B5985A2C8CBCE7F7007295
                                                                                                                                                                                                                          SHA1:86EBF56352B4DBB831FAE0CCA180B4ADD951240D
                                                                                                                                                                                                                          SHA-256:E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
                                                                                                                                                                                                                          SHA-512:EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):875520
                                                                                                                                                                                                                          Entropy (8bit):5.621956468920589
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                                                                                                                                                                                                                          MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                                                                                                                                                                                          SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                                                                                                                                                                                          SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                                                                                                                                                                                          SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1946739
                                                                                                                                                                                                                          Entropy (8bit):7.989700491058983
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                                                                                                                                                                                                                          MD5:96AD47D78A70B33158961585D9154ECC
                                                                                                                                                                                                                          SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                                                                                                                                                                                          SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                                                                                                                                                                                          SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):214119
                                                                                                                                                                                                                          Entropy (8bit):7.955451054538398
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                                                                                                                                                                                                                          MD5:391F512173ECEC14EB5CE31299858DE1
                                                                                                                                                                                                                          SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                                                                                                                                                                                          SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                                                                                                                                                                                          SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):290001
                                                                                                                                                                                                                          Entropy (8bit):7.9670215100557735
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                                                                                                                                                                                                                          MD5:BF59A047984EAFC79E40B0011ED4116D
                                                                                                                                                                                                                          SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                                                                                                                                                                                          SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                                                                                                                                                                                          SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1305142
                                                                                                                                                                                                                          Entropy (8bit):7.99463351416358
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                                                                                                                                                                                                                          MD5:20DDA02AF522924E45223D7262D0E1ED
                                                                                                                                                                                                                          SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                                                                                                                                                                                          SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                                                                                                                                                                                          SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:current ar archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):87182312
                                                                                                                                                                                                                          Entropy (8bit):5.477474753748716
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                                                                                                                                                                                                                          MD5:FFD456A85E341D430AFA0C07C1068538
                                                                                                                                                                                                                          SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                                                                                                                                                                                          SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                                                                                                                                                                                          SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):656926
                                                                                                                                                                                                                          Entropy (8bit):7.964275415195004
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3404DD2B0E63D9418F755430336C7164
                                                                                                                                                                                                                          SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                                                                                                                                                                                          SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                                                                                                                                                                                          SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1017158
                                                                                                                                                                                                                          Entropy (8bit):7.951759131641406
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3FBF52922588A52245DC927BCC36DBB3
                                                                                                                                                                                                                          SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                                                                                                                                                                                          SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                                                                                                                                                                                          SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1174528
                                                                                                                                                                                                                          Entropy (8bit):6.475826085865088
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                                                                                                                                                                                          SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                                                                                                                                                                                          SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                                                                                                                                                                                          SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2106216
                                                                                                                                                                                                                          Entropy (8bit):6.4563314852745375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                                                                                                                                                                                          SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                                                                                                                                                                                          SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                                                                                                                                                                                          SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4127200
                                                                                                                                                                                                                          Entropy (8bit):6.577665867424953
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                                                                                                                                                                                          SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                                                                                                                                                                                          SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                                                                                                                                                                                          SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2205743
                                                                                                                                                                                                                          Entropy (8bit):7.923318114432295
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                                                                                                                                                                                          SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                                                                                                                                                                                          SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                                                                                                                                                                                          SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10717392
                                                                                                                                                                                                                          Entropy (8bit):6.282534560973548
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                                                                                                                                                                                          SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                                                                                                                                                                                          SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                                                                                                                                                                                          SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):377856
                                                                                                                                                                                                                          Entropy (8bit):6.602916265542373
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                                                                                                                                                                                          SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                                                                                                                                                                                          SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                                                                                                                                                                                          SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):6635008
                                                                                                                                                                                                                          Entropy (8bit):6.832077162910607
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:63988D35D7AB96823B5403BE3C110F7F
                                                                                                                                                                                                                          SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                                                                                                                                                                                          SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                                                                                                                                                                                          SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):176517632
                                                                                                                                                                                                                          Entropy (8bit):7.025874989859836
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                                                                                                                                                                                          SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                                                                                                                                                                                          SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                                                                                                                                                                                          SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:current ar archive
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):40258
                                                                                                                                                                                                                          Entropy (8bit):4.547436244061504
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                                                                                                                                                                                          SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                                                                                                                                                                                          SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                                                                                                                                                                                          SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):470498
                                                                                                                                                                                                                          Entropy (8bit):5.409080468053459
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                                                                                                                                                                                          SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                                                                                                                                                                                          SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                                                                                                                                                                                          SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):763010
                                                                                                                                                                                                                          Entropy (8bit):4.909167677028143
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                                                                                                                                                                                          SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                                                                                                                                                                                          SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                                                                                                                                                                                          SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):838413
                                                                                                                                                                                                                          Entropy (8bit):4.920788245468804
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C70B71B05A8CA5B8243C951B96D67453
                                                                                                                                                                                                                          SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                                                                                                                                                                                          SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                                                                                                                                                                                          SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):869469
                                                                                                                                                                                                                          Entropy (8bit):4.677916300869337
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:12A9400F521EC1D3975257B2061F5790
                                                                                                                                                                                                                          SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                                                                                                                                                                                          SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                                                                                                                                                                                          SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1118348
                                                                                                                                                                                                                          Entropy (8bit):4.2989199535081895
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:89A24AF99D5592AB8964B701F13E1706
                                                                                                                                                                                                                          SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                                                                                                                                                                                          SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                                                                                                                                                                                          SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):537139
                                                                                                                                                                                                                          Entropy (8bit):5.397688491907634
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                                                                                                                                                                                          SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                                                                                                                                                                                          SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                                                                                                                                                                                          SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):545011
                                                                                                                                                                                                                          Entropy (8bit):5.844949195905198
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                                                                                                                                                                                          SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                                                                                                                                                                                          SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                                                                                                                                                                                          SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):496165
                                                                                                                                                                                                                          Entropy (8bit):5.446061543230436
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                                                                                                                                                                                          SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                                                                                                                                                                                          SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                                                                                                                                                                                          SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):534726
                                                                                                                                                                                                                          Entropy (8bit):5.49306456316532
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:49CA708EBB7A4913C36F7461F094886B
                                                                                                                                                                                                                          SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                                                                                                                                                                                          SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                                                                                                                                                                                          SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):950999
                                                                                                                                                                                                                          Entropy (8bit):4.76377388695373
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                                                                                                                                                                                          SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                                                                                                                                                                                          SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                                                                                                                                                                                          SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):430665
                                                                                                                                                                                                                          Entropy (8bit):5.517246002357965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                                                                                                                                                                                          SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                                                                                                                                                                                          SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                                                                                                                                                                                          SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):434598
                                                                                                                                                                                                                          Entropy (8bit):5.509004494756697
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                                                                                                                                                                                          SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                                                                                                                                                                                          SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                                                                                                                                                                                          SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):524728
                                                                                                                                                                                                                          Entropy (8bit):5.377464936206393
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                                                                                                                                                                                          SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                                                                                                                                                                                          SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                                                                                                                                                                                          SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):523181
                                                                                                                                                                                                                          Entropy (8bit):5.356449408331279
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3D1720FE1D801D54420438A54CBE1547
                                                                                                                                                                                                                          SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                                                                                                                                                                                          SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                                                                                                                                                                                          SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):475733
                                                                                                                                                                                                                          Entropy (8bit):5.456553040437113
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                                                                                                                                                                                          SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                                                                                                                                                                                          SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                                                                                                                                                                                          SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):773397
                                                                                                                                                                                                                          Entropy (8bit):5.04618630633187
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C998140F7970B81117B073A87430A748
                                                                                                                                                                                                                          SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                                                                                                                                                                                          SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                                                                                                                                                                                          SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):483378
                                                                                                                                                                                                                          Entropy (8bit):5.428549632880935
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                                                                                                                                                                                          SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                                                                                                                                                                                          SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                                                                                                                                                                                          SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):546749
                                                                                                                                                                                                                          Entropy (8bit):5.197094281578282
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                                                                                                                                                                                          SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                                                                                                                                                                                          SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                                                                                                                                                                                          SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):568277
                                                                                                                                                                                                                          Entropy (8bit):5.380723339968972
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                                                                                                                                                                                          SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                                                                                                                                                                                          SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                                                                                                                                                                                          SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1103776
                                                                                                                                                                                                                          Entropy (8bit):4.336526106451521
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:44F704DB17F0203FA5195DC4572C946C
                                                                                                                                                                                                                          SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                                                                                                                                                                                          SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                                                                                                                                                                                          SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):681555
                                                                                                                                                                                                                          Entropy (8bit):4.658620623200349
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:E75086A24ECAA25CD18D547AB041C65A
                                                                                                                                                                                                                          SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                                                                                                                                                                                          SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                                                                                                                                                                                          SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1167065
                                                                                                                                                                                                                          Entropy (8bit):4.308980564019689
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                                                                                                                                                                                          SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                                                                                                                                                                                          SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                                                                                                                                                                                          SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):526575
                                                                                                                                                                                                                          Entropy (8bit):5.518614920030561
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                                                                                                                                                                                          SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                                                                                                                                                                                          SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                                                                                                                                                                                          SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):566819
                                                                                                                                                                                                                          Entropy (8bit):5.6387082185760935
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                                                                                                                                                                                          SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                                                                                                                                                                                          SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                                                                                                                                                                                          SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):466959
                                                                                                                                                                                                                          Entropy (8bit):5.379636778781472
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1466C484179769A2263542E943742E59
                                                                                                                                                                                                                          SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                                                                                                                                                                                          SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                                                                                                                                                                                          SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):522800
                                                                                                                                                                                                                          Entropy (8bit):5.284113957149261
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                                                                                                                                                                                          SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                                                                                                                                                                                          SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                                                                                                                                                                                          SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):634636
                                                                                                                                                                                                                          Entropy (8bit):5.718480148171718
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                                                                                                                                                                                          SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                                                                                                                                                                                          SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                                                                                                                                                                                          SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1256908
                                                                                                                                                                                                                          Entropy (8bit):4.247594585839553
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                                                                                                                                                                                          SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                                                                                                                                                                                          SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                                                                                                                                                                                          SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):532715
                                                                                                                                                                                                                          Entropy (8bit):6.0824169765918725
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                                                                                                                                                                                          SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                                                                                                                                                                                          SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                                                                                                                                                                                          SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):573015
                                                                                                                                                                                                                          Entropy (8bit):5.63016577624216
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8745B87D09D9ECC1112C60F5DD934034
                                                                                                                                                                                                                          SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                                                                                                                                                                                          SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                                                                                                                                                                                          SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):570683
                                                                                                                                                                                                                          Entropy (8bit):5.624052036286866
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                                                                                                                                                                                          SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                                                                                                                                                                                          SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                                                                                                                                                                                          SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1307271
                                                                                                                                                                                                                          Entropy (8bit):4.279854356980692
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:309E068B4E15157486D095301370B234
                                                                                                                                                                                                                          SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                                                                                                                                                                                          SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                                                                                                                                                                                          SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1075591
                                                                                                                                                                                                                          Entropy (8bit):4.313573412022857
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                                                                                                                                                                                          SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                                                                                                                                                                                          SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                                                                                                                                                                                          SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):489457
                                                                                                                                                                                                                          Entropy (8bit):5.250540323172458
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A1253E64F8910162B15B56883798E3C0
                                                                                                                                                                                                                          SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                                                                                                                                                                                          SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                                                                                                                                                                                          SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):476208
                                                                                                                                                                                                                          Entropy (8bit):5.4272499712806965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                                                                                                                                                                                          SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                                                                                                                                                                                          SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                                                                                                                                                                                          SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):491139
                                                                                                                                                                                                                          Entropy (8bit):5.362822162782947
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:C8378A81039DB6943F97286CC8C629F1
                                                                                                                                                                                                                          SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                                                                                                                                                                                          SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                                                                                                                                                                                          SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):550453
                                                                                                                                                                                                                          Entropy (8bit):5.757462673735937
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                                                                                                                                                                                          SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                                                                                                                                                                                          SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                                                                                                                                                                                          SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):516256
                                                                                                                                                                                                                          Entropy (8bit):5.426294949123783
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3BA426E91C34E1C33F13912974835F7D
                                                                                                                                                                                                                          SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                                                                                                                                                                                          SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                                                                                                                                                                                          SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):518861
                                                                                                                                                                                                                          Entropy (8bit):5.4029194034596575
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                                                                                                                                                                                          SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                                                                                                                                                                                          SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                                                                                                                                                                                          SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):537125
                                                                                                                                                                                                                          Entropy (8bit):5.4566742297332596
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                                                                                                                                                                                          SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                                                                                                                                                                                          SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                                                                                                                                                                                          SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):878725
                                                                                                                                                                                                                          Entropy (8bit):4.848685093578222
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3A3D0D865A78399306924D3ED058274E
                                                                                                                                                                                                                          SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                                                                                                                                                                                          SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                                                                                                                                                                                          SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):553886
                                                                                                                                                                                                                          Entropy (8bit):5.812150703289796
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A9656846F66A36BB399B65F7B702B47D
                                                                                                                                                                                                                          SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                                                                                                                                                                                          SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                                                                                                                                                                                          SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):532410
                                                                                                                                                                                                                          Entropy (8bit):5.486224954097277
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                                                                                                                                                                                          SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                                                                                                                                                                                          SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                                                                                                                                                                                          SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):818089
                                                                                                                                                                                                                          Entropy (8bit):4.779985663253385
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                                                                                                                                                                                          SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                                                                                                                                                                                          SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                                                                                                                                                                                          SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):479512
                                                                                                                                                                                                                          Entropy (8bit):5.541069475898216
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:09592A0D35100CD9707C278C9FFC7618
                                                                                                                                                                                                                          SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                                                                                                                                                                                          SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                                                                                                                                                                                          SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):504856
                                                                                                                                                                                                                          Entropy (8bit):5.34516819438501
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:9E038A0D222055FED6F1883992DCA5A8
                                                                                                                                                                                                                          SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                                                                                                                                                                                          SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                                                                                                                                                                                          SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1298313
                                                                                                                                                                                                                          Entropy (8bit):4.058495187693592
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                                                                                                                                                                                          SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                                                                                                                                                                                          SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                                                                                                                                                                                          SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1199612
                                                                                                                                                                                                                          Entropy (8bit):4.314031920337284
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:98714389748A98ECC536CD2F17859BDF
                                                                                                                                                                                                                          SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                                                                                                                                                                                          SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                                                                                                                                                                                          SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1008989
                                                                                                                                                                                                                          Entropy (8bit):4.356501290091745
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:56F29DE3465795E781A52FCF736BBE08
                                                                                                                                                                                                                          SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                                                                                                                                                                                          SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                                                                                                                                                                                          SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):515329
                                                                                                                                                                                                                          Entropy (8bit):5.616482888977033
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:46CA9EE922C3C175DE466066F40B29CE
                                                                                                                                                                                                                          SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                                                                                                                                                                                          SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                                                                                                                                                                                          SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):876131
                                                                                                                                                                                                                          Entropy (8bit):4.88404350774067
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:1365ABDD1EFB44720EA3975E4A472530
                                                                                                                                                                                                                          SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                                                                                                                                                                                          SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                                                                                                                                                                                          SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):765853
                                                                                                                                                                                                                          Entropy (8bit):5.17061834928747
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                                                                                                                                                                                          SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                                                                                                                                                                                          SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                                                                                                                                                                                          SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):609259
                                                                                                                                                                                                                          Entropy (8bit):5.796202390024141
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                                                                                                                                                                                          SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                                                                                                                                                                                          SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                                                                                                                                                                                          SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):441207
                                                                                                                                                                                                                          Entropy (8bit):6.685712707138377
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                                                                                                                                                                                          SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                                                                                                                                                                                          SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                                                                                                                                                                                          SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):439630
                                                                                                                                                                                                                          Entropy (8bit):6.6906570508767995
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:BB7C995F257B9125457381BB01856D72
                                                                                                                                                                                                                          SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                                                                                                                                                                                          SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                                                                                                                                                                                          SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):275968
                                                                                                                                                                                                                          Entropy (8bit):5.778490068583466
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                                                                                                                                                                                          SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                                                                                                                                                                                          SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                                                                                                                                                                                          SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1547797
                                                                                                                                                                                                                          Entropy (8bit):4.370092880615517
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                                                                                                                                                                                          SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                                                                                                                                                                                          SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                                                                                                                                                                                          SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):342741
                                                                                                                                                                                                                          Entropy (8bit):5.496697631795104
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                                                                                                                                                                                          SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                                                                                                                                                                                          SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                                                                                                                                                                                          SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\resources.pak

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8226870
                                                                                                                                                                                                                          Entropy (8bit):7.996842728494533
                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                                                                                                                                                                                          SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                                                                                                                                                                                          SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                                                                                                                                                                                          SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):276319
                                                                                                                                                                                                                          Entropy (8bit):4.242318669799302
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8234983533FA47D2A1D7710FF8274299
                                                                                                                                                                                                                          SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                                                                                                                                                                                          SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                                                                                                                                                                                          SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\start.bat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                          Entropy (8bit):3.8731406795131327
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:2C66F3C2190A84FAFD4449DAF6440EAC
                                                                                                                                                                                                                          SHA1:7B9E4C94329FE26C34E63AB8336227FD5EB553E9
                                                                                                                                                                                                                          SHA-256:58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
                                                                                                                                                                                                                          SHA-512:62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:start GamePall.exe OuWe5kl

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2059776
                                                                                                                                                                                                                          Entropy (8bit):4.067542396670122
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                                                                                                                                                                                          SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                                                                                                                                                                                          SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                                                                                                                                                                                          SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):346624
                                                                                                                                                                                                                          Entropy (8bit):6.54104466243173
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                                                                                                                                                                                          SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                                                                                                                                                                                          SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                                                                                                                                                                                          SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2445312
                                                                                                                                                                                                                          Entropy (8bit):6.750207745422387
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:334C3157E63A34B22CCE25A44A04835F
                                                                                                                                                                                                                          SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                                                                                                                                                                                          SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                                                                                                                                                                                          SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):631017
                                                                                                                                                                                                                          Entropy (8bit):5.144793130466209
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                                                                                                                                                                                          SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                                                                                                                                                                                          SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                                                                                                                                                                                          SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4400640
                                                                                                                                                                                                                          Entropy (8bit):6.667314807988382
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:7F913E31D00082338F073EF60D67B335
                                                                                                                                                                                                                          SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                                                                                                                                                                                          SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                                                                                                                                                                                          SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):106
                                                                                                                                                                                                                          Entropy (8bit):4.724752649036734
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                                                          SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                                                          SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                                                          SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):826368
                                                                                                                                                                                                                          Entropy (8bit):6.78646032943732
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:A031EB19C61942A26EF74500AD4B42DF
                                                                                                                                                                                                                          SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                                                                                                                                                                                          SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                                                                                                                                                                                          SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):211456
                                                                                                                                                                                                                          Entropy (8bit):6.566524833521835
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                                                                                                                                                                                          SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                                                                                                                                                                                          SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                                                                                                                                                                                          SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\ervhhuc

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):176640
                                                                                                                                                                                                                          Entropy (8bit):6.504390639949849
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:27FDFBC4A5388E3C43FB79D75EE2B048
                                                                                                                                                                                                                          SHA1:8E3BBF0F0A899B8BB2EAC42830081AFF222A87A8
                                                                                                                                                                                                                          SHA-256:2BF758EC68EE38FB0E7BC577E3F8F0E3BE2DA66E73CCFB1328B8DA6A496840C9
                                                                                                                                                                                                                          SHA-512:8BEC478D14A02E5E88E4164BD75C7C206B4B41D7E8E122A594C219BA85B0CE30C0926634EAA0A6F5CD2527DADFA826C6684870E4558B04B2E1C94B0A8B9AB40E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........u.....j.......t.......q.....Rich............PE..L...4_ e.................l...80...................@...........................1.....h..........................................P.....0.................................................................................|............................text....k.......l.................. ..`.rdata..` ......."...p..............@..@.data...H...........................@....rsrc.........0.....................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\ervhhuc:Zone.Identifier

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:
                                                                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Entropy (8bit):6.504390639949849
                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                          File name:LXbM8RbhLa.exe
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5:27fdfbc4a5388e3c43fb79d75ee2b048
                                                                                                                                                                                                                          SHA1:8e3bbf0f0a899b8bb2eac42830081aff222a87a8
                                                                                                                                                                                                                          SHA256:2bf758ec68ee38fb0e7bc577e3f8f0e3be2da66e73ccfb1328b8da6a496840c9
                                                                                                                                                                                                                          SHA512:8bec478d14a02e5e88e4164bd75c7c206b4b41d7e8e122a594c219ba85b0ce30c0926634eaa0a6f5cd2527dadfa826c6684870e4558b04b2e1c94b0a8b9ab40e
                                                                                                                                                                                                                          SSDEEP:3072:1t50LNHDm3D6u39Efajf33A3lXhPtP5vtLgvl1KuU3:D50LNHDUD6uyA3AbDCvS7
                                                                                                                                                                                                                          TLSH:EE04375177F6D026FFF78B311A74A2941A3BBC637A7481AEA650324E0E33AD18D61713
                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........u.....j.......t.......q.....Rich............PE..L...4_ e.................l.

                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                          Icon Hash:cb97374d55555d9a

                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Entrypoint:0x401908
                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                          Time Stamp:0x65205F34 [Fri Oct 6 19:25:40 2023 UTC]
                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                          Import Hash:a2f98760372f92ec7255c044ca187eb8

                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                          call 00007FCB98B3E035h
                                                                                                                                                                                                                          jmp 00007FCB98B3A2FEh
                                                                                                                                                                                                                          mov edi, edi
                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                                                          sub esp, 00000328h
                                                                                                                                                                                                                          mov dword ptr [0041C918h], eax
                                                                                                                                                                                                                          mov dword ptr [0041C914h], ecx
                                                                                                                                                                                                                          mov dword ptr [0041C910h], edx
                                                                                                                                                                                                                          mov dword ptr [0041C90Ch], ebx
                                                                                                                                                                                                                          mov dword ptr [0041C908h], esi
                                                                                                                                                                                                                          mov dword ptr [0041C904h], edi
                                                                                                                                                                                                                          mov word ptr [0041C930h], ss
                                                                                                                                                                                                                          mov word ptr [0041C924h], cs
                                                                                                                                                                                                                          mov word ptr [0041C900h], ds
                                                                                                                                                                                                                          mov word ptr [0041C8FCh], es
                                                                                                                                                                                                                          mov word ptr [0041C8F8h], fs
                                                                                                                                                                                                                          mov word ptr [0041C8F4h], gs
                                                                                                                                                                                                                          pushfd
                                                                                                                                                                                                                          pop dword ptr [0041C928h]
                                                                                                                                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                          mov dword ptr [0041C91Ch], eax
                                                                                                                                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                          mov dword ptr [0041C920h], eax
                                                                                                                                                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                          mov dword ptr [0041C92Ch], eax
                                                                                                                                                                                                                          mov eax, dword ptr [ebp-00000320h]
                                                                                                                                                                                                                          mov dword ptr [0041C868h], 00010001h
                                                                                                                                                                                                                          mov eax, dword ptr [0041C920h]
                                                                                                                                                                                                                          mov dword ptr [0041C81Ch], eax
                                                                                                                                                                                                                          mov dword ptr [0041C810h], C0000409h
                                                                                                                                                                                                                          mov dword ptr [0041C814h], 00000001h
                                                                                                                                                                                                                          mov eax, dword ptr [0041B004h]
                                                                                                                                                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                                                                                                                                                          mov eax, dword ptr [0041B008h]
                                                                                                                                                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                                                                                                                                                          call dword ptr [000000A4h]

                                                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                                                          • [C++] VS2008 build 21022
                                                                                                                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                                                                                                                          • [ C ] VS2008 build 21022
                                                                                                                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                                                                                                                          • [RES] VS2008 build 21022
                                                                                                                                                                                                                          • [LNK] VS2008 build 21022

                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x197ec0x50.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x23080000x101d8.rsrc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x180000x17c.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                          .text0x10000x16b9f0x16c00651ea74cc39d6063e4f761cfd00d9311False0.8053850446428571data7.514529236691774IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .rdata0x180000x20600x2200fe32a06b6049963eaaffd1c402b49757False0.3508731617647059data5.3886273312215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .data0x1b0000x22ec5480x1e00dbbf92547299e9e029a3fc28851afff4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .rsrc0x23080000x101d80x10200b6e842133e2fe63c8c7159045122da4dFalse0.4587875484496124data4.9974876503587335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                          NUSUTUMA0x230ef080x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6277013752455796
                                                                                                                                                                                                                          RT_CURSOR0x230f3080x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                                                                                                                                          RT_CURSOR0x230f4380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                                                                                                                                          RT_ICON0x23086d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6103411513859275
                                                                                                                                                                                                                          RT_ICON0x23095780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6953971119133574
                                                                                                                                                                                                                          RT_ICON0x2309e200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.75
                                                                                                                                                                                                                          RT_ICON0x230a4e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7904624277456648
                                                                                                                                                                                                                          RT_ICON0x230aa500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5952282157676348
                                                                                                                                                                                                                          RT_ICON0x230cff80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.725844277673546
                                                                                                                                                                                                                          RT_ICON0x230e0a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.739344262295082
                                                                                                                                                                                                                          RT_ICON0x230ea280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8820921985815603
                                                                                                                                                                                                                          RT_STRING0x2311bb80xaadata0.611764705882353
                                                                                                                                                                                                                          RT_STRING0x2311c680x6edata0.6
                                                                                                                                                                                                                          RT_STRING0x2311cd80x6b2data0.4305717619603267
                                                                                                                                                                                                                          RT_STRING0x23123900x688data0.4342105263157895
                                                                                                                                                                                                                          RT_STRING0x2312a180x6a4data0.42764705882352944
                                                                                                                                                                                                                          RT_STRING0x23130c00x202data0.5019455252918288
                                                                                                                                                                                                                          RT_STRING0x23132c80x6a4data0.42705882352941177
                                                                                                                                                                                                                          RT_STRING0x23139700x6d8data0.4297945205479452
                                                                                                                                                                                                                          RT_STRING0x23140480x7e0data0.42162698412698413
                                                                                                                                                                                                                          RT_STRING0x23148280x71adata0.42684268426842686
                                                                                                                                                                                                                          RT_STRING0x2314f480x698data0.4277251184834123
                                                                                                                                                                                                                          RT_STRING0x23155e00x798data0.4202674897119342
                                                                                                                                                                                                                          RT_STRING0x2315d780x6dcdata0.4299544419134396
                                                                                                                                                                                                                          RT_STRING0x23164580x82cdata0.41634799235181646
                                                                                                                                                                                                                          RT_STRING0x2316c880x672data0.44
                                                                                                                                                                                                                          RT_STRING0x23173000x752data0.4247598719316969
                                                                                                                                                                                                                          RT_STRING0x2317a580x724data0.424507658643326
                                                                                                                                                                                                                          RT_STRING0x23181800x52data0.6585365853658537
                                                                                                                                                                                                                          RT_GROUP_CURSOR0x23119e00x22data1.088235294117647
                                                                                                                                                                                                                          RT_GROUP_ICON0x230ee900x76dataTurkishTurkey0.6610169491525424
                                                                                                                                                                                                                          RT_VERSION0x2311a080x1b0data0.5972222222222222

                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                          KERNEL32.dllCreateJobObjectW, GetModuleHandleExW, SetVolumeMountPointW, GetComputerNameW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, GetModuleFileNameW, ZombifyActCtx, GetLastError, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, SetFileApisToANSI, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, GetConsoleAliasesW, OpenJobObjectA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
                                                                                                                                                                                                                          GDI32.dllGetBoundsRect
                                                                                                                                                                                                                          ole32.dllCoTaskMemRealloc

                                                                                                                                                                                                                          Possible Origin

                                                                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                          TurkishTurkey

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                          Start time:01:45:48
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\LXbM8RbhLa.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\LXbM8RbhLa.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5 hash:27FDFBC4A5388E3C43FB79D75EE2B048
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2118711570.0000000004391000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2118563615.0000000004360000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                          Start time:01:46:00
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                          Imagebase:0x7ff674740000
                                                                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                          Start time:01:46:18
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\ervhhuc
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\ervhhuc
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:176'640 bytes
                                                                                                                                                                                                                          MD5 hash:27FDFBC4A5388E3C43FB79D75EE2B048
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2408976355.0000000004350000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2408947734.0000000004340000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2409074873.0000000004491000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2408700708.000000000276B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                          Start time:01:46:34
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\A50C.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\A50C.exe
                                                                                                                                                                                                                          Imagebase:0x390000
                                                                                                                                                                                                                          File size:6'642'176 bytes
                                                                                                                                                                                                                          MD5 hash:BD2EAC64CBDED877608468D86786594A
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2517106518.000000000142E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2517201953.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2530246303.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2466602842.0000000001435000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2517673871.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                          • Detection: 50%, ReversingLabs
                                                                                                                                                                                                                          • Detection: 69%, Virustotal, Browse
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                          Start time:01:46:43
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:293'869 bytes
                                                                                                                                                                                                                          MD5 hash:60172CA946DE57C3529E9F05CC502870
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 21%, ReversingLabs
                                                                                                                                                                                                                          • Detection: 9%, Virustotal, Browse
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                          Start time:01:46:49
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\EDA0.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\EDA0.exe
                                                                                                                                                                                                                          Imagebase:0x900000
                                                                                                                                                                                                                          File size:578'048 bytes
                                                                                                                                                                                                                          MD5 hash:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3349177765.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                          • Detection: 16%, ReversingLabs
                                                                                                                                                                                                                          • Detection: 38%, Virustotal, Browse
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                          Start time:01:48:05
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:107'232'830 bytes
                                                                                                                                                                                                                          MD5 hash:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                          • Detection: 6%, Virustotal, Browse
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                          Start time:01:48:34
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Imagebase:0x800000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                          • Detection: 11%, Virustotal, Browse
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                          Start time:01:48:38
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                                                                                                                                                                                          Imagebase:0x810000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                          Start time:01:48:38
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3396 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                          Start time:01:48:38
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3808 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                                                                                                                                                                                          Imagebase:0x720000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                          Start time:01:48:38
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845153143 --mojo-platform-channel-handle=3856 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                                                                                                                                                                                          Imagebase:0xae0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                          Start time:01:48:38
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719978473683865 --launch-time-ticks=7845163762 --mojo-platform-channel-handle=3892 --field-trial-handle=3128,i,16564650160723935827,11428467048589295655,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                                                                                                                                                                                          Imagebase:0xda0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                          Start time:01:48:39
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x790000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                          Start time:01:48:39
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x4b0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                          Start time:01:48:40
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xa00000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                          Start time:01:48:41
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xa50000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                          Start time:01:48:42
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xc70000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                          Start time:01:48:42
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xf70000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                          Start time:01:48:42
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xc60000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                          Start time:01:48:43
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xee0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                          Start time:01:48:43
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x640000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                          Start time:01:48:43
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x290000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                          Start time:01:48:44
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xe90000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                          Start time:01:48:44
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x990000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                          Start time:01:48:45
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x1b0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                          Start time:01:48:45
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xc60000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                          Start time:01:48:45
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xbb0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                                          Start time:01:48:45
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x1a0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                                          Start time:01:48:45
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x650000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                                          Start time:01:48:45
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x5d0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                                          Start time:01:48:46
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x5a0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                                          Start time:01:48:46
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xf00000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                                          Start time:01:48:46
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0x8c0000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                                                          Start time:01:48:46
                                                                                                                                                                                                                          Start date:03/07/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                          Imagebase:0xa00000
                                                                                                                                                                                                                          File size:296'448 bytes
                                                                                                                                                                                                                          MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:8.9%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:20%
                                                                                                                                                                                                                            Signature Coverage:45.7%
                                                                                                                                                                                                                            Total number of Nodes:140
                                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                                            execution_graph 3909 289092b GetPEB 3910 2890972 3909->3910 3801 402e63 3802 402e67 3801->3802 3803 401918 8 API calls 3802->3803 3804 402f44 3802->3804 3803->3804 3843 401543 3854 401546 3843->3854 3844 4015e6 NtDuplicateObject 3845 401603 NtCreateSection 3844->3845 3851 401702 3844->3851 3846 401683 NtCreateSection 3845->3846 3847 401629 NtMapViewOfSection 3845->3847 3849 4016af 3846->3849 3846->3851 3847->3846 3848 40164c NtMapViewOfSection 3847->3848 3848->3846 3850 40166a 3848->3850 3849->3851 3852 4016b9 NtMapViewOfSection 3849->3852 3850->3846 3852->3851 3853 4016e0 NtMapViewOfSection 3852->3853 3853->3851 3854->3844 3854->3851 3903 401924 3904 401929 3903->3904 3905 40195e Sleep 3904->3905 3906 401979 3905->3906 3907 401538 7 API calls 3906->3907 3908 40198a 3906->3908 3907->3908 3728 402fe9 3729 403140 3728->3729 3730 403013 3728->3730 3730->3729 3731 4030ce RtlCreateUserThread NtTerminateProcess 3730->3731 3731->3729 3732 417b8b 3738 41788d 3732->3738 3734 417b93 3736 41788d 34 API calls 3734->3736 3762 4175ef GlobalAlloc 3734->3762 3763 4175f0 GlobalAlloc 3734->3763 3736->3734 3739 41789a 3738->3739 3740 417919 lstrcatW InterlockedExchangeAdd WriteConsoleW 3739->3740 3750 417a16 3739->3750 3743 417954 7 API calls 3740->3743 3741 417a33 GetCommProperties GetTickCount GetLastError 3746 417a60 GetConsoleAliasesW 3741->3746 3747 417a59 ZombifyActCtx 3741->3747 3742 417a24 GlobalAlloc AddAtomA 3742->3741 3744 4179e5 3743->3744 3745 4179dc GetBoundsRect 3743->3745 3748 417a08 3744->3748 3749 4179ee GetModuleHandleExW 3744->3749 3745->3744 3746->3750 3747->3746 3748->3750 3749->3748 3750->3741 3750->3742 3751 417a80 FoldStringA 3750->3751 3760 417a94 3750->3760 3751->3750 3753 417adc LoadLibraryA 3765 41762d 3753->3765 3758 417b3a 3770 41784a 3758->3770 3764 4175f0 GlobalAlloc 3760->3764 3761 417b3f 3761->3734 3762->3734 3763->3734 3764->3753 3766 41766c 3765->3766 3767 417678 GetModuleHandleW GetProcAddress 3766->3767 3768 41774e 3766->3768 3767->3766 3769 41760f VirtualProtect 3768->3769 3769->3758 3777 417773 3770->3777 3773 417885 3782 4177ca 3773->3782 3774 41786d GetConsoleAliasExesLengthW UnhandledExceptionFilter FindFirstVolumeA 3774->3773 3776 41788a 3776->3761 3778 417790 3777->3778 3779 417788 CreateJobObjectW 3777->3779 3780 4177a4 OpenJobObjectA BuildCommDCBW LoadLibraryA 3778->3780 3781 4177bf 3778->3781 3779->3778 3780->3781 3781->3773 3781->3774 3783 4177e4 3782->3783 3784 417827 3782->3784 3783->3784 3785 417804 GetComputerNameW SleepEx 3783->3785 3784->3776 3785->3783 3786 29decf2 3787 29ded01 3786->3787 3790 29df492 3787->3790 3791 29df4ad 3790->3791 3792 29df4b6 CreateToolhelp32Snapshot 3791->3792 3793 29df4d2 Module32First 3791->3793 3792->3791 3792->3793 3794 29ded0a 3793->3794 3795 29df4e1 3793->3795 3797 29df151 3795->3797 3798 29df17c 3797->3798 3799 29df18d VirtualAlloc 3798->3799 3800 29df1c5 3798->3800 3799->3800 3687 289003c 3688 2890049 3687->3688 3700 2890e0f SetErrorMode SetErrorMode 3688->3700 3693 2890265 3694 28902ce VirtualProtect 3693->3694 3696 289030b 3694->3696 3695 2890439 VirtualFree 3699 28904be LoadLibraryA 3695->3699 3696->3695 3698 28908c7 3699->3698 3701 2890223 3700->3701 3702 2890d90 3701->3702 3703 2890dad 3702->3703 3704 2890dbb GetPEB 3703->3704 3705 2890238 VirtualAlloc 3703->3705 3704->3705 3705->3693 3821 401496 3822 401447 3821->3822 3822->3821 3823 4015e6 NtDuplicateObject 3822->3823 3827 40152f 3822->3827 3824 401603 NtCreateSection 3823->3824 3823->3827 3825 401683 NtCreateSection 3824->3825 3826 401629 NtMapViewOfSection 3824->3826 3825->3827 3829 4016af 3825->3829 3826->3825 3828 40164c NtMapViewOfSection 3826->3828 3828->3825 3832 40166a 3828->3832 3829->3827 3830 4016b9 NtMapViewOfSection 3829->3830 3830->3827 3831 4016e0 NtMapViewOfSection 3830->3831 3831->3827 3832->3825 3706 402eb7 3707 402eb8 3706->3707 3709 402f44 3707->3709 3710 401918 3707->3710 3711 401929 3710->3711 3712 40195e Sleep 3711->3712 3713 401979 3712->3713 3715 40198a 3713->3715 3716 401538 3713->3716 3715->3709 3717 401539 3716->3717 3718 4015e6 NtDuplicateObject 3717->3718 3724 401702 3717->3724 3719 401603 NtCreateSection 3718->3719 3718->3724 3720 401683 NtCreateSection 3719->3720 3721 401629 NtMapViewOfSection 3719->3721 3723 4016af 3720->3723 3720->3724 3721->3720 3722 40164c NtMapViewOfSection 3721->3722 3722->3720 3727 40166a 3722->3727 3723->3724 3725 4016b9 NtMapViewOfSection 3723->3725 3724->3715 3725->3724 3726 4016e0 NtMapViewOfSection 3725->3726 3726->3724 3727->3720 3805 4014de 3806 401447 3805->3806 3807 4015e6 NtDuplicateObject 3806->3807 3814 40152f 3806->3814 3808 401603 NtCreateSection 3807->3808 3807->3814 3809 401683 NtCreateSection 3808->3809 3810 401629 NtMapViewOfSection 3808->3810 3812 4016af 3809->3812 3809->3814 3810->3809 3811 40164c NtMapViewOfSection 3810->3811 3811->3809 3813 40166a 3811->3813 3812->3814 3815 4016b9 NtMapViewOfSection 3812->3815 3813->3809 3815->3814 3816 4016e0 NtMapViewOfSection 3815->3816 3816->3814

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 146 401496-4014a5 147 4014a7 146->147 148 40151b-40152d 146->148 149 4014a9-4014b5 147->149 150 4014cf 147->150 157 4014ba 148->157 160 40152f-401535 148->160 152 401471-401472 149->152 153 4014b7-4014b8 149->153 154 4014d6 150->154 158 401473-401484 152->158 156 401449 153->156 153->157 154->154 159 4014d8 154->159 161 40147b-40148e call 4011b7 156->161 162 40144b 156->162 163 401447-401456 157->163 164 4014bc-4014c3 157->164 158->161 159->148 161->146 167 40144c-401470 162->167 163->167 168 4014c5-4014c8 164->168 169 401539-401567 164->169 167->158 168->150 180 401558-401563 169->180 181 40156a-401590 call 4011b7 169->181 180->181 188 401592 181->188 189 401595-40159a 181->189 188->189 191 4015a0-4015b1 189->191 192 4018b8-4018c0 189->192 196 4018b6-4018c5 191->196 197 4015b7-4015e0 191->197 192->189 199 4018da 196->199 200 4018cb-4018d6 196->200 197->196 205 4015e6-4015fd NtDuplicateObject 197->205 199->200 202 4018dd-401915 call 4011b7 199->202 200->202 205->196 207 401603-401627 NtCreateSection 205->207 209 401683-4016a9 NtCreateSection 207->209 210 401629-40164a NtMapViewOfSection 207->210 209->196 213 4016af-4016b3 209->213 210->209 212 40164c-401668 NtMapViewOfSection 210->212 212->209 215 40166a-401680 212->215 213->196 217 4016b9-4016da NtMapViewOfSection 213->217 215->209 217->196 219 4016e0-4016fc NtMapViewOfSection 217->219 219->196 222 401702 call 401707 219->222
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                                                                                                                                                                                            Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 224 401538-401567 230 401558-401563 224->230 231 40156a-401590 call 4011b7 224->231 230->231 238 401592 231->238 239 401595-40159a 231->239 238->239 241 4015a0-4015b1 239->241 242 4018b8-4018c0 239->242 246 4018b6-4018c5 241->246 247 4015b7-4015e0 241->247 242->239 249 4018da 246->249 250 4018cb-4018d6 246->250 247->246 255 4015e6-4015fd NtDuplicateObject 247->255 249->250 252 4018dd-401915 call 4011b7 249->252 250->252 255->246 257 401603-401627 NtCreateSection 255->257 259 401683-4016a9 NtCreateSection 257->259 260 401629-40164a NtMapViewOfSection 257->260 259->246 263 4016af-4016b3 259->263 260->259 262 40164c-401668 NtMapViewOfSection 260->262 262->259 265 40166a-401680 262->265 263->246 267 4016b9-4016da NtMapViewOfSection 263->267 265->259 267->246 269 4016e0-4016fc NtMapViewOfSection 267->269 269->246 272 401702 call 401707 269->272
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                                                                                                                                                                                            Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 274 4014de-4014ed 275 401563 274->275 276 4014ef 274->276 279 40156a-401590 call 4011b7 275->279 277 401551-401552 276->277 278 4014f1-401502 276->278 277->275 280 401504-401516 278->280 281 40151d-40152d 278->281 297 401592 279->297 298 401595-40159a 279->298 284 40151b-40151c 280->284 287 4014ba 281->287 288 40152f-401535 281->288 284->281 290 401447-401456 287->290 291 4014bc-4014c3 287->291 296 40144c-401470 290->296 294 4014c5-4014c8 291->294 295 401539-401567 291->295 299 4014cf 294->299 295->279 312 401558-401560 295->312 313 401473-401484 296->313 297->298 310 4015a0-4015b1 298->310 311 4018b8-4018c0 298->311 302 4014d6 299->302 302->302 306 4014d8 302->306 306->284 320 4018b6-4018c5 310->320 321 4015b7-4015e0 310->321 311->298 312->275 318 40147b-4014a5 call 4011b7 313->318 318->284 330 4014a7 318->330 324 4018da 320->324 325 4018cb-4018d6 320->325 321->320 334 4015e6-4015fd NtDuplicateObject 321->334 324->325 328 4018dd-401915 call 4011b7 324->328 325->328 330->299 333 4014a9-4014b5 330->333 336 401471-401472 333->336 337 4014b7-4014b8 333->337 334->320 338 401603-401627 NtCreateSection 334->338 336->313 337->287 340 401449 337->340 341 401683-4016a9 NtCreateSection 338->341 342 401629-40164a NtMapViewOfSection 338->342 340->318 344 40144b 340->344 341->320 346 4016af-4016b3 341->346 342->341 345 40164c-401668 NtMapViewOfSection 342->345 344->296 345->341 348 40166a-401680 345->348 346->320 350 4016b9-4016da NtMapViewOfSection 346->350 348->341 350->320 352 4016e0-4016fc NtMapViewOfSection 350->352 352->320 355 401702 call 401707 352->355
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                                                                                                                                                                                            Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 357 401543-401544 358 401546-401567 357->358 359 4015af-4015b1 357->359 365 401558-401563 358->365 366 40156a-401590 call 4011b7 358->366 361 4018b6-4018c5 359->361 362 4015b7-4015e0 359->362 367 4018da 361->367 368 4018cb-4018d6 361->368 362->361 377 4015e6-4015fd NtDuplicateObject 362->377 365->366 386 401592 366->386 387 401595-40159a 366->387 367->368 371 4018dd-401915 call 4011b7 367->371 368->371 377->361 380 401603-401627 NtCreateSection 377->380 383 401683-4016a9 NtCreateSection 380->383 384 401629-40164a NtMapViewOfSection 380->384 383->361 389 4016af-4016b3 383->389 384->383 388 40164c-401668 NtMapViewOfSection 384->388 386->387 398 4015a0-4015ad 387->398 399 4018b8-4018c0 387->399 388->383 391 40166a-401680 388->391 389->361 393 4016b9-4016da NtMapViewOfSection 389->393 391->383 393->361 396 4016e0-4016fc NtMapViewOfSection 393->396 396->361 401 401702 call 401707 396->401 398->359 399->387
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                                                                                                                                                                                            Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 405 401565-401590 call 4011b7 410 401592 405->410 411 401595-40159a 405->411 410->411 413 4015a0-4015b1 411->413 414 4018b8-4018c0 411->414 418 4018b6-4018c5 413->418 419 4015b7-4015e0 413->419 414->411 421 4018da 418->421 422 4018cb-4018d6 418->422 419->418 427 4015e6-4015fd NtDuplicateObject 419->427 421->422 424 4018dd-401915 call 4011b7 421->424 422->424 427->418 429 401603-401627 NtCreateSection 427->429 431 401683-4016a9 NtCreateSection 429->431 432 401629-40164a NtMapViewOfSection 429->432 431->418 435 4016af-4016b3 431->435 432->431 434 40164c-401668 NtMapViewOfSection 432->434 434->431 437 40166a-401680 434->437 435->418 439 4016b9-4016da NtMapViewOfSection 435->439 437->431 439->418 441 4016e0-4016fc NtMapViewOfSection 439->441 441->418 444 401702 call 401707 441->444
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                                                                                                                                                                                            Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 446 401579-401590 call 4011b7 452 401592 446->452 453 401595-40159a 446->453 452->453 455 4015a0-4015b1 453->455 456 4018b8-4018c0 453->456 460 4018b6-4018c5 455->460 461 4015b7-4015e0 455->461 456->453 463 4018da 460->463 464 4018cb-4018d6 460->464 461->460 469 4015e6-4015fd NtDuplicateObject 461->469 463->464 466 4018dd-401915 call 4011b7 463->466 464->466 469->460 471 401603-401627 NtCreateSection 469->471 473 401683-4016a9 NtCreateSection 471->473 474 401629-40164a NtMapViewOfSection 471->474 473->460 477 4016af-4016b3 473->477 474->473 476 40164c-401668 NtMapViewOfSection 474->476 476->473 479 40166a-401680 476->479 477->460 481 4016b9-4016da NtMapViewOfSection 477->481 479->473 481->460 483 4016e0-4016fc NtMapViewOfSection 481->483 483->460 486 401702 call 401707 483->486
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                                                                                                                                                                                            Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 488 40157c-401590 call 4011b7 492 401592 488->492 493 401595-40159a 488->493 492->493 495 4015a0-4015b1 493->495 496 4018b8-4018c0 493->496 500 4018b6-4018c5 495->500 501 4015b7-4015e0 495->501 496->493 503 4018da 500->503 504 4018cb-4018d6 500->504 501->500 509 4015e6-4015fd NtDuplicateObject 501->509 503->504 506 4018dd-401915 call 4011b7 503->506 504->506 509->500 511 401603-401627 NtCreateSection 509->511 513 401683-4016a9 NtCreateSection 511->513 514 401629-40164a NtMapViewOfSection 511->514 513->500 517 4016af-4016b3 513->517 514->513 516 40164c-401668 NtMapViewOfSection 514->516 516->513 519 40166a-401680 516->519 517->500 521 4016b9-4016da NtMapViewOfSection 517->521 519->513 521->500 523 4016e0-4016fc NtMapViewOfSection 521->523 523->500 526 401702 call 401707 523->526
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                                                                                                                                                                                            Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 528 402fe9-40300d 529 403140-403145 528->529 530 403013-40302b 528->530 530->529 531 403031-403042 530->531 532 403044-40304d 531->532 533 403052-403060 532->533 533->533 534 403062-403069 533->534 535 40308b-403092 534->535 536 40306b-40308a 534->536 537 4030b4-4030b7 535->537 538 403094-4030b3 535->538 536->535 539 4030c0 537->539 540 4030b9-4030bc 537->540 538->537 539->532 541 4030c2-4030c7 539->541 540->539 542 4030be 540->542 541->529 543 4030c9-4030cc 541->543 542->541 543->529 544 4030ce-40313d RtlCreateUserThread NtTerminateProcess 543->544 544->529
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1921587553-0
                                                                                                                                                                                                                            • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                                                                                                                                                                                            Function 029DF492 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 545 29df492-29df4ab 546 29df4ad-29df4af 545->546 547 29df4b6-29df4c2 CreateToolhelp32Snapshot 546->547 548 29df4b1 546->548 549 29df4c4-29df4ca 547->549 550 29df4d2-29df4df Module32First 547->550 548->547 549->550 555 29df4cc-29df4d0 549->555 551 29df4e8-29df4f0 550->551 552 29df4e1-29df4e2 call 29df151 550->552 556 29df4e7 552->556 555->546 555->550 556->551
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029DF4BA
                                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 029DF4DA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 029DC000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_29dc000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3833638111-0
                                                                                                                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction ID: 42c53b8e0e409f78220d57de1f40388ca4a2c0a27d81e16dc4c62ee8ec41e136
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57F0F6322007106BD7203BF4AC8EB6E72ECBF48324F108129E64BA18C0CB70F8059A60
                                                                                                                                                                                                                            Function 0041788D Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 218stringmemorylibraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 00417921
                                                                                                                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041792F
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417946
                                                                                                                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 0041795D
                                                                                                                                                                                                                            • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417966
                                                                                                                                                                                                                            • SetFileApisToANSI.KERNEL32 ref: 0041796C
                                                                                                                                                                                                                            • ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 004179AD
                                                                                                                                                                                                                            • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 004179B5
                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 004179C4
                                                                                                                                                                                                                            • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004179CD
                                                                                                                                                                                                                            • GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004179DF
                                                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 004179FB
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00417A26
                                                                                                                                                                                                                            • AddAtomA.KERNEL32(00000000), ref: 00417A2D
                                                                                                                                                                                                                            • GetCommProperties.KERNELBASE(00000000,?), ref: 00417A3B
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00417A41
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00417A47
                                                                                                                                                                                                                            • ZombifyActCtx.KERNEL32(00000000), ref: 00417A5A
                                                                                                                                                                                                                            • GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 00417A69
                                                                                                                                                                                                                            • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417A85
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(004193A0), ref: 00417B2E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCommCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointPropertiesReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
                                                                                                                                                                                                                            • String ID: k`$tl_$}$
                                                                                                                                                                                                                            • API String ID: 3342591227-211918992
                                                                                                                                                                                                                            • Opcode ID: 4a737c72b8b2e5e8f5a0726ffab7c7983664f1f5bd7eb7921d096495e0bb4b50
                                                                                                                                                                                                                            • Instruction ID: 60de32a46b810539f56dbbc9a0e9370a80c3ea5f16581ae93fdb629d8a96e62a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a737c72b8b2e5e8f5a0726ffab7c7983664f1f5bd7eb7921d096495e0bb4b50
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F718D71845528AFD721AB65EC88CDF7B78FF09354B10846AF106E2150CF389A89CFAD
                                                                                                                                                                                                                            Function 0289003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 61 289003c-2890047 62 2890049 61->62 63 289004c-2890263 call 2890a3f call 2890e0f call 2890d90 VirtualAlloc 61->63 62->63 78 289028b-2890292 63->78 79 2890265-2890289 call 2890a69 63->79 81 28902a1-28902b0 78->81 83 28902ce-28903c2 VirtualProtect call 2890cce call 2890ce7 79->83 81->83 84 28902b2-28902cc 81->84 90 28903d1-28903e0 83->90 84->81 91 2890439-28904b8 VirtualFree 90->91 92 28903e2-2890437 call 2890ce7 90->92 94 28904be-28904cd 91->94 95 28905f4-28905fe 91->95 92->90 97 28904d3-28904dd 94->97 98 289077f-2890789 95->98 99 2890604-289060d 95->99 97->95 101 28904e3-2890505 97->101 102 289078b-28907a3 98->102 103 28907a6-28907b0 98->103 99->98 104 2890613-2890637 99->104 115 2890517-2890520 101->115 116 2890507-2890515 101->116 102->103 106 289086e-28908be LoadLibraryA 103->106 107 28907b6-28907cb 103->107 105 289063e-2890648 104->105 105->98 108 289064e-289065a 105->108 114 28908c7-28908f9 106->114 110 28907d2-28907d5 107->110 108->98 113 2890660-289066a 108->113 111 2890824-2890833 110->111 112 28907d7-28907e0 110->112 121 2890839-289083c 111->121 118 28907e2 112->118 119 28907e4-2890822 112->119 120 289067a-2890689 113->120 122 28908fb-2890901 114->122 123 2890902-289091d 114->123 117 2890526-2890547 115->117 116->117 124 289054d-2890550 117->124 118->111 119->110 125 289068f-28906b2 120->125 126 2890750-289077a 120->126 121->106 127 289083e-2890847 121->127 122->123 128 28905e0-28905ef 124->128 129 2890556-289056b 124->129 130 28906ef-28906fc 125->130 131 28906b4-28906ed 125->131 126->105 132 2890849 127->132 133 289084b-289086c 127->133 128->97 135 289056d 129->135 136 289056f-289057a 129->136 137 289074b 130->137 138 28906fe-2890748 130->138 131->130 132->106 133->121 135->128 139 289059b-28905bb 136->139 140 289057c-2890599 136->140 137->120 138->137 145 28905bd-28905db 139->145 140->145 145->124
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0289024D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2890000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction ID: c997201cdecb3648b2e56fee046b3fa2da64ec33051d39351a34cb71058efc3e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA526978A01229DFDB64CF58C984BACBBB1BF09314F1480D9E94DAB351DB30AA85CF15
                                                                                                                                                                                                                            Function 02890E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 558 2890e0f-2890e24 SetErrorMode * 2 559 2890e2b-2890e2c 558->559 560 2890e26 558->560 560->559
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02890223,?,?), ref: 02890E19
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02890223,?,?), ref: 02890E1E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2890000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction ID: 64a0438e56daf11c09d5284f859e4577e87c78201fd34de8cb6cd8ece5d8afb3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7FD0123914512877DB002A94DC09BCD7B1CDF05B66F048011FB0DD9080C770954046E5
                                                                                                                                                                                                                            Function 0041760F Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 561 41760f-41762c VirtualProtect
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualProtect.KERNELBASE(00000040,?), ref: 00417625
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                                                                            • Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68
                                                                                                                                                                                                                            Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                                                                                                                                                                                            Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                                                                                                                                                                                            Function 029DF151 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 029DF1A2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 029DC000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_29dc000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction ID: 521cf881e577ddf52d6005579423ce160b7ee6a3066ce6e93a0f8e10691f901f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7113C79A00208EFDB01DF98C985E98BBF5AF08751F05C094F9499B361D371EA50EF80
                                                                                                                                                                                                                            Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                                                                                                                                                                                            Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                                                                                                                                                                                            Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116298613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F
                                                                                                                                                                                                                            Function 004175EF Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ADC), ref: 004175F8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: cdcd8a0988f673fa045c50961f52c9f1ae218486d1cfe669481924149af0991a
                                                                                                                                                                                                                            • Instruction ID: 60c6e845e2a02117f4b28fcf1b91ee77208488f163ffa838c513fb20d1336324
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cdcd8a0988f673fa045c50961f52c9f1ae218486d1cfe669481924149af0991a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48B01270840204CED3001F71DC4470E7E91B388202F42C425F818C2284CEB008085E21
                                                                                                                                                                                                                            Function 004175F0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ADC), ref: 004175F8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 0289092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2890000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                            • API String ID: 0-2784972518
                                                                                                                                                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                            • Instruction ID: 6f320c3e1602641297585d522c98663e4b0faf4a5fe22def071858f77ca5d7b7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A3139BA900609DFDB10CF99C880AAEBBF5FF48328F19414AD845E7211D771EA45CBA4
                                                                                                                                                                                                                            Function 029DED6F Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2118363104.00000000029DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 029DC000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_29dc000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                            • Instruction ID: d528afecd72ba0308422ac30e3d8e3814de85e55c28021d0f70e88839a0df96c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A113C72340100AFDB54DE55DC81FA673EAEF89224B198465ED48CF355EA76E842CB60
                                                                                                                                                                                                                            Function 02890D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2117673629.0000000002890000.00000040.00001000.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_2890000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                            • Instruction ID: ae9f0f21dde7146ba1e67cb7a743fa0bfa4e3ba1912c74222c30268ddd622b15
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A801A27EA106048FDF21CF24C804BAE33F9EBC6216F5945B5D90BD7281E774B9418B90
                                                                                                                                                                                                                            Function 00417773 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041778A
                                                                                                                                                                                                                            • OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 004177A7
                                                                                                                                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 004177B2
                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 004177B9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2043902199-0
                                                                                                                                                                                                                            • Opcode ID: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
                                                                                                                                                                                                                            • Instruction ID: 846ca8089aff8ae996d99bea62a5558699b8f6f579bbf3e3d6bb547014525509
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9E03930802528EF87116B61EC888DF7FACFF0A359B418024F40591145DB785A49CFF9
                                                                                                                                                                                                                            Function 0041762D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(02705280), ref: 004176F9
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,0041D350), ref: 00417736
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1646373207-3916222277
                                                                                                                                                                                                                            • Opcode ID: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
                                                                                                                                                                                                                            • Instruction ID: 2e8a44649ca65890e54a3d20935e35ee91b056c6f1b602c9ab2b578a56e647da
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D3181B5D883C4DCF30187A4B8497B23B61AF15B04F58842AD954CB2E5D7FA1558C72F
                                                                                                                                                                                                                            Function 004177CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 00417812
                                                                                                                                                                                                                            • SleepEx.KERNEL32(00000000,00000000), ref: 0041781C
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000000.00000002.2116316201.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_40b000_LXbM8RbhLa.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ComputerNameSleep
                                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                                            • API String ID: 3354815184-2547889144
                                                                                                                                                                                                                            • Opcode ID: fe48a9d4666960a0de1db073951572c13c30880cbe102230f9aa405653797754
                                                                                                                                                                                                                            • Instruction ID: 7da17d355d7a95a15018cc8c91bca72b973b9bf89b89328c17919f9fed7d9a35
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe48a9d4666960a0de1db073951572c13c30880cbe102230f9aa405653797754
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E01D630904219D6D760EF64D9C57DABBF8FB08314F5181AAE69196085CF345ACCCFD5

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:9%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:20%
                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                            Total number of Nodes:140
                                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                                            execution_graph 3774 402e63 3777 402e67 3774->3777 3775 402f44 3776 401918 8 API calls 3776->3775 3777->3775 3777->3776 3816 401543 3827 401546 3816->3827 3817 4015e6 NtDuplicateObject 3818 401603 NtCreateSection 3817->3818 3824 401702 3817->3824 3819 401683 NtCreateSection 3818->3819 3820 401629 NtMapViewOfSection 3818->3820 3822 4016af 3819->3822 3819->3824 3820->3819 3821 40164c NtMapViewOfSection 3820->3821 3821->3819 3823 40166a 3821->3823 3822->3824 3825 4016b9 NtMapViewOfSection 3822->3825 3823->3819 3825->3824 3826 4016e0 NtMapViewOfSection 3825->3826 3826->3824 3827->3817 3827->3824 3878 401924 3879 401929 3878->3879 3880 40195e Sleep 3879->3880 3881 401979 3880->3881 3882 401538 7 API calls 3881->3882 3883 40198a 3881->3883 3882->3883 3682 434003c 3683 4340049 3682->3683 3695 4340e0f SetErrorMode SetErrorMode 3683->3695 3688 4340265 3689 43402ce VirtualProtect 3688->3689 3691 434030b 3689->3691 3690 4340439 VirtualFree 3694 43404be LoadLibraryA 3690->3694 3691->3690 3693 43408c7 3694->3693 3696 4340223 3695->3696 3697 4340d90 3696->3697 3698 4340dad 3697->3698 3699 4340dbb GetPEB 3698->3699 3700 4340238 VirtualAlloc 3698->3700 3699->3700 3700->3688 3701 402fe9 3702 403140 3701->3702 3703 403013 3701->3703 3703->3702 3704 4030ce RtlCreateUserThread NtTerminateProcess 3703->3704 3704->3702 3705 417b8b 3711 41788d 3705->3711 3707 417b93 3709 41788d 34 API calls 3707->3709 3735 4175ef GlobalAlloc 3707->3735 3736 4175f0 GlobalAlloc 3707->3736 3709->3707 3712 41789a 3711->3712 3713 417919 lstrcatW InterlockedExchangeAdd WriteConsoleW 3712->3713 3721 417a16 3712->3721 3716 417954 7 API calls 3713->3716 3714 417a33 GetCommProperties GetTickCount GetLastError 3717 417a60 GetConsoleAliasesW 3714->3717 3718 417a59 ZombifyActCtx 3714->3718 3715 417a24 GlobalAlloc AddAtomA 3715->3714 3719 4179e5 3716->3719 3720 4179dc GetBoundsRect 3716->3720 3717->3721 3718->3717 3722 417a08 3719->3722 3723 4179ee GetModuleHandleExW 3719->3723 3720->3719 3721->3714 3721->3715 3724 417a80 FoldStringA 3721->3724 3728 417a94 3721->3728 3722->3721 3723->3722 3724->3721 3726 417adc LoadLibraryA 3738 41762d 3726->3738 3737 4175f0 GlobalAlloc 3728->3737 3732 417b3a 3743 41784a 3732->3743 3734 417b3f 3734->3707 3735->3707 3736->3707 3737->3726 3739 41766c 3738->3739 3740 417678 GetModuleHandleW GetProcAddress 3739->3740 3741 41774e 3739->3741 3740->3739 3742 41760f VirtualProtect 3741->3742 3742->3732 3750 417773 3743->3750 3746 417885 3755 4177ca 3746->3755 3747 41786d GetConsoleAliasExesLengthW UnhandledExceptionFilter FindFirstVolumeA 3747->3746 3749 41788a 3749->3734 3751 417790 3750->3751 3752 417788 CreateJobObjectW 3750->3752 3753 4177a4 OpenJobObjectA BuildCommDCBW LoadLibraryA 3751->3753 3754 4177bf 3751->3754 3752->3751 3753->3754 3754->3746 3754->3747 3756 4177e4 3755->3756 3757 417827 3755->3757 3756->3757 3758 417804 GetComputerNameW SleepEx 3756->3758 3757->3749 3758->3756 3759 276e33a 3760 276e349 3759->3760 3763 276eada 3760->3763 3768 276eaf5 3763->3768 3764 276eafe CreateToolhelp32Snapshot 3765 276eb1a Module32First 3764->3765 3764->3768 3766 276eb29 3765->3766 3769 276e352 3765->3769 3770 276e799 3766->3770 3768->3764 3768->3765 3771 276e7c4 3770->3771 3772 276e7d5 VirtualAlloc 3771->3772 3773 276e80d 3771->3773 3772->3773 3773->3773 3794 401496 3795 401447 3794->3795 3795->3794 3796 4015e6 NtDuplicateObject 3795->3796 3803 40152f 3795->3803 3797 401603 NtCreateSection 3796->3797 3796->3803 3798 401683 NtCreateSection 3797->3798 3799 401629 NtMapViewOfSection 3797->3799 3801 4016af 3798->3801 3798->3803 3799->3798 3800 40164c NtMapViewOfSection 3799->3800 3800->3798 3802 40166a 3800->3802 3801->3803 3804 4016b9 NtMapViewOfSection 3801->3804 3802->3798 3804->3803 3805 4016e0 NtMapViewOfSection 3804->3805 3805->3803 3660 402eb7 3662 402eb8 3660->3662 3661 402f44 3662->3661 3664 401918 3662->3664 3665 401929 3664->3665 3666 40195e Sleep 3665->3666 3667 401979 3666->3667 3669 40198a 3667->3669 3670 401538 3667->3670 3669->3661 3671 401539 3670->3671 3672 4015e6 NtDuplicateObject 3671->3672 3679 401702 3671->3679 3673 401603 NtCreateSection 3672->3673 3672->3679 3674 401683 NtCreateSection 3673->3674 3675 401629 NtMapViewOfSection 3673->3675 3677 4016af 3674->3677 3674->3679 3675->3674 3676 40164c NtMapViewOfSection 3675->3676 3676->3674 3678 40166a 3676->3678 3677->3679 3680 4016b9 NtMapViewOfSection 3677->3680 3678->3674 3679->3669 3680->3679 3681 4016e0 NtMapViewOfSection 3680->3681 3681->3679 3778 4014de 3779 401447 3778->3779 3780 4015e6 NtDuplicateObject 3779->3780 3787 40152f 3779->3787 3781 401603 NtCreateSection 3780->3781 3780->3787 3782 401683 NtCreateSection 3781->3782 3783 401629 NtMapViewOfSection 3781->3783 3785 4016af 3782->3785 3782->3787 3783->3782 3784 40164c NtMapViewOfSection 3783->3784 3784->3782 3786 40166a 3784->3786 3785->3787 3788 4016b9 NtMapViewOfSection 3785->3788 3786->3782 3788->3787 3789 4016e0 NtMapViewOfSection 3788->3789 3789->3787 3840 434092b GetPEB 3841 4340972 3840->3841

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 146 401496-4014a5 147 4014a7 146->147 148 40151b-40152d 146->148 149 4014a9-4014b5 147->149 150 4014cf 147->150 159 4014ba 148->159 160 40152f-401535 148->160 153 401471-401472 149->153 154 4014b7-4014b8 149->154 152 4014d6 150->152 152->152 156 4014d8 152->156 157 401473-401484 153->157 158 401449 154->158 154->159 156->148 164 40147b-40148e call 4011b7 157->164 158->164 165 40144b 158->165 161 401447-401456 159->161 162 4014bc-4014c3 159->162 170 40144c-401470 161->170 166 4014c5-4014c8 162->166 167 401539-401567 162->167 164->146 165->170 166->150 180 401558-401563 167->180 181 40156a-401590 call 4011b7 167->181 170->157 180->181 188 401592 181->188 189 401595-40159a 181->189 188->189 191 4015a0-4015b1 189->191 192 4018b8-4018c0 189->192 196 4018b6-4018c5 191->196 197 4015b7-4015e0 191->197 192->189 200 4018da 196->200 201 4018cb-4018d6 196->201 197->196 205 4015e6-4015fd NtDuplicateObject 197->205 200->201 202 4018dd-401915 call 4011b7 200->202 201->202 205->196 207 401603-401627 NtCreateSection 205->207 209 401683-4016a9 NtCreateSection 207->209 210 401629-40164a NtMapViewOfSection 207->210 209->196 213 4016af-4016b3 209->213 210->209 212 40164c-401668 NtMapViewOfSection 210->212 212->209 215 40166a-401680 212->215 213->196 217 4016b9-4016da NtMapViewOfSection 213->217 215->209 217->196 219 4016e0-4016fc NtMapViewOfSection 217->219 219->196 220 401702 call 401707 219->220
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                                                                                                                                                                                            Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 224 401538-401567 230 401558-401563 224->230 231 40156a-401590 call 4011b7 224->231 230->231 238 401592 231->238 239 401595-40159a 231->239 238->239 241 4015a0-4015b1 239->241 242 4018b8-4018c0 239->242 246 4018b6-4018c5 241->246 247 4015b7-4015e0 241->247 242->239 250 4018da 246->250 251 4018cb-4018d6 246->251 247->246 255 4015e6-4015fd NtDuplicateObject 247->255 250->251 252 4018dd-401915 call 4011b7 250->252 251->252 255->246 257 401603-401627 NtCreateSection 255->257 259 401683-4016a9 NtCreateSection 257->259 260 401629-40164a NtMapViewOfSection 257->260 259->246 263 4016af-4016b3 259->263 260->259 262 40164c-401668 NtMapViewOfSection 260->262 262->259 265 40166a-401680 262->265 263->246 267 4016b9-4016da NtMapViewOfSection 263->267 265->259 267->246 269 4016e0-4016fc NtMapViewOfSection 267->269 269->246 270 401702 call 401707 269->270
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                                                                                                                                                                                            Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 274 4014de-4014ed 275 401563 274->275 276 4014ef 274->276 277 40156a-401590 call 4011b7 275->277 278 401551-401552 276->278 279 4014f1-401502 276->279 298 401592 277->298 299 401595-40159a 277->299 278->275 281 401504-401516 279->281 282 40151d-40152d 279->282 284 40151b-40151c 281->284 287 4014ba 282->287 288 40152f-401535 282->288 284->282 289 401447-401456 287->289 290 4014bc-4014c3 287->290 296 40144c-401470 289->296 292 4014c5-4014c8 290->292 293 401539-401567 290->293 297 4014cf 292->297 293->277 313 401558-401560 293->313 312 401473-401484 296->312 301 4014d6 297->301 298->299 310 4015a0-4015b1 299->310 311 4018b8-4018c0 299->311 301->301 305 4014d8 301->305 305->284 319 4018b6-4018c5 310->319 320 4015b7-4015e0 310->320 311->299 317 40147b-4014a5 call 4011b7 312->317 313->275 317->284 332 4014a7 317->332 326 4018da 319->326 327 4018cb-4018d6 319->327 320->319 333 4015e6-4015fd NtDuplicateObject 320->333 326->327 328 4018dd-401915 call 4011b7 326->328 327->328 332->297 335 4014a9-4014b5 332->335 333->319 336 401603-401627 NtCreateSection 333->336 338 401471-401472 335->338 339 4014b7-4014b8 335->339 340 401683-4016a9 NtCreateSection 336->340 341 401629-40164a NtMapViewOfSection 336->341 338->312 339->287 343 401449 339->343 340->319 345 4016af-4016b3 340->345 341->340 344 40164c-401668 NtMapViewOfSection 341->344 343->317 347 40144b 343->347 344->340 348 40166a-401680 344->348 345->319 350 4016b9-4016da NtMapViewOfSection 345->350 347->296 348->340 350->319 352 4016e0-4016fc NtMapViewOfSection 350->352 352->319 353 401702 call 401707 352->353
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1652636561-0
                                                                                                                                                                                                                            • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                                                                                                                                                                                            Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 357 401543-401544 358 401546-401567 357->358 359 4015af-4015b1 357->359 368 401558-401563 358->368 369 40156a-401590 call 4011b7 358->369 360 4018b6-4018c5 359->360 361 4015b7-4015e0 359->361 366 4018da 360->366 367 4018cb-4018d6 360->367 361->360 377 4015e6-4015fd NtDuplicateObject 361->377 366->367 371 4018dd-401915 call 4011b7 366->371 367->371 368->369 386 401592 369->386 387 401595-40159a 369->387 377->360 380 401603-401627 NtCreateSection 377->380 383 401683-4016a9 NtCreateSection 380->383 384 401629-40164a NtMapViewOfSection 380->384 383->360 389 4016af-4016b3 383->389 384->383 388 40164c-401668 NtMapViewOfSection 384->388 386->387 399 4015a0-4015ad 387->399 400 4018b8-4018c0 387->400 388->383 391 40166a-401680 388->391 389->360 393 4016b9-4016da NtMapViewOfSection 389->393 391->383 393->360 396 4016e0-4016fc NtMapViewOfSection 393->396 396->360 397 401702 call 401707 396->397 399->359 400->387
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                                                                                                                                                                                            Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 405 401565-401590 call 4011b7 410 401592 405->410 411 401595-40159a 405->411 410->411 413 4015a0-4015b1 411->413 414 4018b8-4018c0 411->414 418 4018b6-4018c5 413->418 419 4015b7-4015e0 413->419 414->411 422 4018da 418->422 423 4018cb-4018d6 418->423 419->418 427 4015e6-4015fd NtDuplicateObject 419->427 422->423 424 4018dd-401915 call 4011b7 422->424 423->424 427->418 429 401603-401627 NtCreateSection 427->429 431 401683-4016a9 NtCreateSection 429->431 432 401629-40164a NtMapViewOfSection 429->432 431->418 435 4016af-4016b3 431->435 432->431 434 40164c-401668 NtMapViewOfSection 432->434 434->431 437 40166a-401680 434->437 435->418 439 4016b9-4016da NtMapViewOfSection 435->439 437->431 439->418 441 4016e0-4016fc NtMapViewOfSection 439->441 441->418 442 401702 call 401707 441->442
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                                                                                                                                                                                            Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 446 401579-401590 call 4011b7 452 401592 446->452 453 401595-40159a 446->453 452->453 455 4015a0-4015b1 453->455 456 4018b8-4018c0 453->456 460 4018b6-4018c5 455->460 461 4015b7-4015e0 455->461 456->453 464 4018da 460->464 465 4018cb-4018d6 460->465 461->460 469 4015e6-4015fd NtDuplicateObject 461->469 464->465 466 4018dd-401915 call 4011b7 464->466 465->466 469->460 471 401603-401627 NtCreateSection 469->471 473 401683-4016a9 NtCreateSection 471->473 474 401629-40164a NtMapViewOfSection 471->474 473->460 477 4016af-4016b3 473->477 474->473 476 40164c-401668 NtMapViewOfSection 474->476 476->473 479 40166a-401680 476->479 477->460 481 4016b9-4016da NtMapViewOfSection 477->481 479->473 481->460 483 4016e0-4016fc NtMapViewOfSection 481->483 483->460 484 401702 call 401707 483->484
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                                                                                                                                                                                            Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 488 40157c-401590 call 4011b7 492 401592 488->492 493 401595-40159a 488->493 492->493 495 4015a0-4015b1 493->495 496 4018b8-4018c0 493->496 500 4018b6-4018c5 495->500 501 4015b7-4015e0 495->501 496->493 504 4018da 500->504 505 4018cb-4018d6 500->505 501->500 509 4015e6-4015fd NtDuplicateObject 501->509 504->505 506 4018dd-401915 call 4011b7 504->506 505->506 509->500 511 401603-401627 NtCreateSection 509->511 513 401683-4016a9 NtCreateSection 511->513 514 401629-40164a NtMapViewOfSection 511->514 513->500 517 4016af-4016b3 513->517 514->513 516 40164c-401668 NtMapViewOfSection 514->516 516->513 519 40166a-401680 516->519 517->500 521 4016b9-4016da NtMapViewOfSection 517->521 519->513 521->500 523 4016e0-4016fc NtMapViewOfSection 521->523 523->500 524 401702 call 401707 523->524
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                                                                                                                                                                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                                                                                                                                                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1546783058-0
                                                                                                                                                                                                                            • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                                                                                                                                                                                            Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 528 402fe9-40300d 529 403140-403145 528->529 530 403013-40302b 528->530 530->529 531 403031-403042 530->531 532 403044-40304d 531->532 533 403052-403060 532->533 533->533 534 403062-403069 533->534 535 40308b-403092 534->535 536 40306b-40308a 534->536 537 4030b4-4030b7 535->537 538 403094-4030b3 535->538 536->535 539 4030c0 537->539 540 4030b9-4030bc 537->540 538->537 539->532 542 4030c2-4030c7 539->542 540->539 541 4030be 540->541 541->542 542->529 543 4030c9-4030cc 542->543 543->529 544 4030ce-40313d RtlCreateUserThread NtTerminateProcess 543->544 544->529
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1921587553-0
                                                                                                                                                                                                                            • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                                                                                                                                                                                            Function 0041788D Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 218stringmemorylibraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 00417921
                                                                                                                                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041792F
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417946
                                                                                                                                                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 0041795D
                                                                                                                                                                                                                            • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417966
                                                                                                                                                                                                                            • SetFileApisToANSI.KERNEL32 ref: 0041796C
                                                                                                                                                                                                                            • ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 004179AD
                                                                                                                                                                                                                            • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 004179B5
                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 004179C4
                                                                                                                                                                                                                            • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004179CD
                                                                                                                                                                                                                            • GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004179DF
                                                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 004179FB
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00417A26
                                                                                                                                                                                                                            • AddAtomA.KERNEL32(00000000), ref: 00417A2D
                                                                                                                                                                                                                            • GetCommProperties.KERNELBASE(00000000,?), ref: 00417A3B
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00417A41
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00417A47
                                                                                                                                                                                                                            • ZombifyActCtx.KERNEL32(00000000), ref: 00417A5A
                                                                                                                                                                                                                            • GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 00417A69
                                                                                                                                                                                                                            • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417A85
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(004193A0), ref: 00417B2E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCommCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointPropertiesReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
                                                                                                                                                                                                                            • String ID: k`$tl_$}$
                                                                                                                                                                                                                            • API String ID: 3342591227-211918992
                                                                                                                                                                                                                            • Opcode ID: 4a737c72b8b2e5e8f5a0726ffab7c7983664f1f5bd7eb7921d096495e0bb4b50
                                                                                                                                                                                                                            • Instruction ID: 60de32a46b810539f56dbbc9a0e9370a80c3ea5f16581ae93fdb629d8a96e62a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a737c72b8b2e5e8f5a0726ffab7c7983664f1f5bd7eb7921d096495e0bb4b50
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F718D71845528AFD721AB65EC88CDF7B78FF09354B10846AF106E2150CF389A89CFAD
                                                                                                                                                                                                                            Function 0434003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 61 434003c-4340047 62 434004c-4340263 call 4340a3f call 4340e0f call 4340d90 VirtualAlloc 61->62 63 4340049 61->63 78 4340265-4340289 call 4340a69 62->78 79 434028b-4340292 62->79 63->62 83 43402ce-43403c2 VirtualProtect call 4340cce call 4340ce7 78->83 81 43402a1-43402b0 79->81 82 43402b2-43402cc 81->82 81->83 82->81 90 43403d1-43403e0 83->90 91 43403e2-4340437 call 4340ce7 90->91 92 4340439-43404b8 VirtualFree 90->92 91->90 94 43405f4-43405fe 92->94 95 43404be-43404cd 92->95 96 4340604-434060d 94->96 97 434077f-4340789 94->97 99 43404d3-43404dd 95->99 96->97 100 4340613-4340637 96->100 103 43407a6-43407b0 97->103 104 434078b-43407a3 97->104 99->94 102 43404e3-4340505 99->102 107 434063e-4340648 100->107 111 4340517-4340520 102->111 112 4340507-4340515 102->112 105 43407b6-43407cb 103->105 106 434086e-43408be LoadLibraryA 103->106 104->103 109 43407d2-43407d5 105->109 116 43408c7-43408f9 106->116 107->97 110 434064e-434065a 107->110 113 4340824-4340833 109->113 114 43407d7-43407e0 109->114 110->97 115 4340660-434066a 110->115 119 4340526-4340547 111->119 112->119 123 4340839-434083c 113->123 120 43407e4-4340822 114->120 121 43407e2 114->121 122 434067a-4340689 115->122 117 4340902-434091d 116->117 118 43408fb-4340901 116->118 118->117 124 434054d-4340550 119->124 120->109 121->113 125 4340750-434077a 122->125 126 434068f-43406b2 122->126 123->106 127 434083e-4340847 123->127 129 4340556-434056b 124->129 130 43405e0-43405ef 124->130 125->107 131 43406b4-43406ed 126->131 132 43406ef-43406fc 126->132 133 4340849 127->133 134 434084b-434086c 127->134 135 434056d 129->135 136 434056f-434057a 129->136 130->99 131->132 137 43406fe-4340748 132->137 138 434074b 132->138 133->106 134->123 135->130 139 434057c-4340599 136->139 140 434059b-43405bb 136->140 137->138 138->122 145 43405bd-43405db 139->145 140->145 145->124
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0434024D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2408947734.0000000004340000.00000040.00001000.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_4340000_ervhhuc.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID: cess$kernel32.dll
                                                                                                                                                                                                                            • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction ID: 53affa20cb8b488cf163aad2922a86bc68d6a929b608a43a7fc987d5ff820bc1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A527974A01229DFDB64CF68C984BACBBB1BF49314F1480D9E94DAB351DB30AA85DF14
                                                                                                                                                                                                                            Function 0276EADA Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 545 276eada-276eaf3 546 276eaf5-276eaf7 545->546 547 276eafe-276eb0a CreateToolhelp32Snapshot 546->547 548 276eaf9 546->548 549 276eb0c-276eb12 547->549 550 276eb1a-276eb27 Module32First 547->550 548->547 549->550 555 276eb14-276eb18 549->555 551 276eb30-276eb38 550->551 552 276eb29-276eb2a call 276e799 550->552 556 276eb2f 552->556 555->546 555->550 556->551
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0276EB02
                                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0276EB22
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2408700708.000000000276B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0276B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_276b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3833638111-0
                                                                                                                                                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction ID: a378ea838539b9dfa92773f442e348d5e73208ba7412a84fc11fd25ea3d1d11b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91F096392007156FD7203BF5A88DFBE76E9BF49624F140529EA47914C0DBB0E8454A75
                                                                                                                                                                                                                            Function 04340E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 558 4340e0f-4340e24 SetErrorMode * 2 559 4340e26 558->559 560 4340e2b-4340e2c 558->560 559->560
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,04340223,?,?), ref: 04340E19
                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,04340223,?,?), ref: 04340E1E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2408947734.0000000004340000.00000040.00001000.00020000.00000000.sdmp, Offset: 04340000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_4340000_ervhhuc.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction ID: 9ba4c803bf1649750f1f0e324d1d827291975af5e6a2cfbb38a744cdf1f8ef59
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AED0123124512877D7002A94DC09BCD7B5CDF05B62F008011FB0DD9080C770A64046E5
                                                                                                                                                                                                                            Function 0041760F Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 561 41760f-41762c VirtualProtect
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualProtect.KERNELBASE(00000040,?), ref: 00417625
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                                                                            • Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68
                                                                                                                                                                                                                            Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                                                                                                                                                                                            Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                                                                                                                                                                                            Function 0276E799 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0276E7EA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2408700708.000000000276B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0276B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_276b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction ID: 77c877313b9057f30923dc89725fa6327a86f76ae76a64c726414688c3243fc6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4110C79A00208EFDB01DF98C989E99BBF5EF08751F1580A4F9489B361D771EA50DF90
                                                                                                                                                                                                                            Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                                                                                                                                                                                            Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                                                                                                                                                                                            Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                                                                                                                                                                              • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407256947.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_400000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1885482327-0
                                                                                                                                                                                                                            • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F
                                                                                                                                                                                                                            Function 004175EF Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ADC), ref: 004175F8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: cdcd8a0988f673fa045c50961f52c9f1ae218486d1cfe669481924149af0991a
                                                                                                                                                                                                                            • Instruction ID: 60c6e845e2a02117f4b28fcf1b91ee77208488f163ffa838c513fb20d1336324
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cdcd8a0988f673fa045c50961f52c9f1ae218486d1cfe669481924149af0991a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48B01270840204CED3001F71DC4470E7E91B388202F42C425F818C2284CEB008085E21
                                                                                                                                                                                                                            Function 004175F0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417ADC), ref: 004175F8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocGlobal
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761449716-0
                                                                                                                                                                                                                            • Opcode ID: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction ID: d55db0c2126c828c826ef05274ed4aaa6eabc9571a3453db39e0ff1d3a989bdf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6adb750e7ea17ba4dfc271b57f0e32d75a63e91da777faa17e994a4e47bbaa96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6B01270C80204DFDB000FB0EC44B0C7FA1B30C302F40C415F50441158CFB004289F20

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 00417773 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041778A
                                                                                                                                                                                                                            • OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 004177A7
                                                                                                                                                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 004177B2
                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 004177B9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2043902199-0
                                                                                                                                                                                                                            • Opcode ID: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
                                                                                                                                                                                                                            • Instruction ID: 846ca8089aff8ae996d99bea62a5558699b8f6f579bbf3e3d6bb547014525509
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f3ed112706eb8286ade0b86c195286d9610ac0970c0ce61b43f95d78f98277c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9E03930802528EF87116B61EC888DF7FACFF0A359B418024F40591145DB785A49CFF9
                                                                                                                                                                                                                            Function 0041762D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(02705280), ref: 004176F9
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,0041D350), ref: 00417736
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1646373207-3916222277
                                                                                                                                                                                                                            • Opcode ID: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
                                                                                                                                                                                                                            • Instruction ID: 2e8a44649ca65890e54a3d20935e35ee91b056c6f1b602c9ab2b578a56e647da
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c054b58ef60272508c52d8ce0959ba2e779dab446c0d3af84fe4e19f33e188f5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D3181B5D883C4DCF30187A4B8497B23B61AF15B04F58842AD954CB2E5D7FA1558C72F
                                                                                                                                                                                                                            Function 004177CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 00417812
                                                                                                                                                                                                                            • SleepEx.KERNEL32(00000000,00000000), ref: 0041781C
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000004.00000002.2407285870.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_40b000_ervhhuc.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ComputerNameSleep
                                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                                            • API String ID: 3354815184-2547889144
                                                                                                                                                                                                                            • Opcode ID: fe48a9d4666960a0de1db073951572c13c30880cbe102230f9aa405653797754
                                                                                                                                                                                                                            • Instruction ID: 7da17d355d7a95a15018cc8c91bca72b973b9bf89b89328c17919f9fed7d9a35
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe48a9d4666960a0de1db073951572c13c30880cbe102230f9aa405653797754
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E01D630904219D6D760EF64D9C57DABBF8FB08314F5181AAE69196085CF345ACCCFD5

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:18.2%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                            Signature Coverage:19.5%
                                                                                                                                                                                                                            Total number of Nodes:1453
                                                                                                                                                                                                                            Total number of Limit Nodes:32
                                                                                                                                                                                                                            execution_graph 4021 401ec5 4022 402c17 17 API calls 4021->4022 4023 401ecb 4022->4023 4024 402c17 17 API calls 4023->4024 4025 401ed7 4024->4025 4026 401ee3 ShowWindow 4025->4026 4027 401eee EnableWindow 4025->4027 4028 402ac5 4026->4028 4027->4028 3366 401746 3367 402c39 17 API calls 3366->3367 3368 40174d 3367->3368 3372 405f4a 3368->3372 3370 401754 3371 405f4a 2 API calls 3370->3371 3371->3370 3373 405f55 GetTickCount GetTempFileNameA 3372->3373 3374 405f82 3373->3374 3375 405f86 3373->3375 3374->3373 3374->3375 3375->3370 4029 401947 4030 402c39 17 API calls 4029->4030 4031 40194e lstrlenA 4030->4031 4032 402628 4031->4032 4036 401fcb 4037 402c39 17 API calls 4036->4037 4038 401fd2 4037->4038 4039 4066ff 2 API calls 4038->4039 4040 401fd8 4039->4040 4042 401fea 4040->4042 4043 4062e6 wsprintfA 4040->4043 4043->4042 3385 4034cc SetErrorMode GetVersionExA 3386 40351e GetVersionExA 3385->3386 3388 40355d 3385->3388 3387 40353a 3386->3387 3386->3388 3387->3388 3389 4035e1 3388->3389 3390 406794 5 API calls 3388->3390 3477 406726 GetSystemDirectoryA 3389->3477 3390->3389 3392 4035f7 lstrlenA 3392->3389 3393 403607 3392->3393 3480 406794 GetModuleHandleA 3393->3480 3396 406794 5 API calls 3397 403615 3396->3397 3398 406794 5 API calls 3397->3398 3399 403621 #17 OleInitialize SHGetFileInfoA 3398->3399 3486 406388 lstrcpynA 3399->3486 3402 40366f GetCommandLineA 3487 406388 lstrcpynA 3402->3487 3404 403681 3405 405d45 CharNextA 3404->3405 3406 4036a8 CharNextA 3405->3406 3412 4036b7 3406->3412 3407 40377d 3408 403791 GetTempPathA 3407->3408 3488 40349b 3408->3488 3410 4037a9 3413 403803 DeleteFileA 3410->3413 3414 4037ad GetWindowsDirectoryA lstrcatA 3410->3414 3411 405d45 CharNextA 3411->3412 3412->3407 3412->3411 3418 40377f 3412->3418 3498 402f5c GetTickCount GetModuleFileNameA 3413->3498 3415 40349b 12 API calls 3414->3415 3417 4037c9 3415->3417 3417->3413 3420 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3417->3420 3585 406388 lstrcpynA 3418->3585 3419 403816 3421 4038ae ExitProcess OleUninitialize 3419->3421 3424 40389b 3419->3424 3431 405d45 CharNextA 3419->3431 3423 40349b 12 API calls 3420->3423 3425 4038c5 3421->3425 3426 4039e8 3421->3426 3429 4037fb 3423->3429 3528 403b6e 3424->3528 3602 405a9e 3425->3602 3427 4039f0 GetCurrentProcess OpenProcessToken 3426->3427 3428 403a66 ExitProcess 3426->3428 3433 403a36 3427->3433 3434 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3427->3434 3429->3413 3429->3421 3436 403830 3431->3436 3439 406794 5 API calls 3433->3439 3434->3433 3440 403875 3436->3440 3441 4038da 3436->3441 3442 403a3d 3439->3442 3586 405e08 3440->3586 3606 405a09 3441->3606 3445 403a52 ExitWindowsEx 3442->3445 3448 403a5f 3442->3448 3445->3428 3445->3448 3626 40140b 3448->3626 3449 4038f0 lstrcatA 3450 4038fb lstrcatA lstrcmpiA 3449->3450 3450->3421 3452 403917 3450->3452 3454 403923 3452->3454 3455 40391c 3452->3455 3614 4059ec CreateDirectoryA 3454->3614 3609 40596f CreateDirectoryA 3455->3609 3456 403890 3601 406388 lstrcpynA 3456->3601 3461 403928 SetCurrentDirectoryA 3462 403943 3461->3462 3463 403938 3461->3463 3618 406388 lstrcpynA 3462->3618 3617 406388 lstrcpynA 3463->3617 3466 40641b 17 API calls 3467 403985 DeleteFileA 3466->3467 3468 403993 CopyFileA 3467->3468 3474 403950 3467->3474 3468->3474 3469 4039dc 3471 406161 36 API calls 3469->3471 3472 4039e3 3471->3472 3472->3421 3473 40641b 17 API calls 3473->3474 3474->3466 3474->3469 3474->3473 3476 4039c7 CloseHandle 3474->3476 3619 406161 MoveFileExA 3474->3619 3623 405a21 CreateProcessA 3474->3623 3476->3474 3478 406748 wsprintfA LoadLibraryExA 3477->3478 3478->3392 3481 4067b0 3480->3481 3482 4067ba GetProcAddress 3480->3482 3483 406726 3 API calls 3481->3483 3484 40360e 3482->3484 3485 4067b6 3483->3485 3484->3396 3485->3482 3485->3484 3486->3402 3487->3404 3489 406666 5 API calls 3488->3489 3491 4034a7 3489->3491 3490 4034b1 3490->3410 3491->3490 3629 405d1a lstrlenA CharPrevA 3491->3629 3494 4059ec 2 API calls 3495 4034bf 3494->3495 3496 405f4a 2 API calls 3495->3496 3497 4034ca 3496->3497 3497->3410 3632 405f1b GetFileAttributesA CreateFileA 3498->3632 3500 402f9f 3527 402fac 3500->3527 3633 406388 lstrcpynA 3500->3633 3502 402fc2 3634 405d61 lstrlenA 3502->3634 3506 402fd3 GetFileSize 3507 4030cd 3506->3507 3526 402fea 3506->3526 3639 402ebd 3507->3639 3511 403112 GlobalAlloc 3513 403129 3511->3513 3512 40316a 3516 402ebd 32 API calls 3512->3516 3518 405f4a 2 API calls 3513->3518 3515 4030f3 3517 40346e ReadFile 3515->3517 3516->3527 3519 4030fe 3517->3519 3521 40313a CreateFileA 3518->3521 3519->3511 3519->3527 3520 402ebd 32 API calls 3520->3526 3522 403174 3521->3522 3521->3527 3654 403484 SetFilePointer 3522->3654 3524 403182 3655 4031fd 3524->3655 3526->3507 3526->3512 3526->3520 3526->3527 3670 40346e 3526->3670 3527->3419 3529 406794 5 API calls 3528->3529 3530 403b82 3529->3530 3531 403b88 3530->3531 3532 403b9a 3530->3532 3714 4062e6 wsprintfA 3531->3714 3533 40626f 3 API calls 3532->3533 3534 403bc5 3533->3534 3535 403be3 lstrcatA 3534->3535 3538 40626f 3 API calls 3534->3538 3537 403b98 3535->3537 3706 403e33 3537->3706 3538->3535 3541 405e08 18 API calls 3542 403c15 3541->3542 3543 403c9e 3542->3543 3545 40626f 3 API calls 3542->3545 3544 405e08 18 API calls 3543->3544 3547 403ca4 3544->3547 3548 403c41 3545->3548 3546 403cb4 LoadImageA 3550 403d5a 3546->3550 3551 403cdb RegisterClassA 3546->3551 3547->3546 3549 40641b 17 API calls 3547->3549 3548->3543 3552 403c5d lstrlenA 3548->3552 3555 405d45 CharNextA 3548->3555 3549->3546 3554 40140b 2 API calls 3550->3554 3553 403d11 SystemParametersInfoA CreateWindowExA 3551->3553 3584 4038ab 3551->3584 3556 403c91 3552->3556 3557 403c6b lstrcmpiA 3552->3557 3553->3550 3558 403d60 3554->3558 3559 403c5b 3555->3559 3561 405d1a 3 API calls 3556->3561 3557->3556 3560 403c7b GetFileAttributesA 3557->3560 3563 403e33 18 API calls 3558->3563 3558->3584 3559->3552 3562 403c87 3560->3562 3564 403c97 3561->3564 3562->3556 3565 405d61 2 API calls 3562->3565 3566 403d71 3563->3566 3715 406388 lstrcpynA 3564->3715 3565->3556 3568 403e00 3566->3568 3569 403d7d ShowWindow 3566->3569 3716 40557b OleInitialize 3568->3716 3571 406726 3 API calls 3569->3571 3573 403d95 3571->3573 3572 403e06 3575 403e22 3572->3575 3576 403e0a 3572->3576 3574 403da3 GetClassInfoA 3573->3574 3577 406726 3 API calls 3573->3577 3579 403db7 GetClassInfoA RegisterClassA 3574->3579 3580 403dcd DialogBoxParamA 3574->3580 3578 40140b 2 API calls 3575->3578 3582 40140b 2 API calls 3576->3582 3576->3584 3577->3574 3578->3584 3579->3580 3581 40140b 2 API calls 3580->3581 3583 403df5 3581->3583 3582->3584 3583->3584 3584->3421 3585->3408 3734 406388 lstrcpynA 3586->3734 3588 405e19 3735 405db3 CharNextA CharNextA 3588->3735 3591 403881 3591->3421 3600 406388 lstrcpynA 3591->3600 3592 406666 5 API calls 3598 405e2f 3592->3598 3593 405e5a lstrlenA 3594 405e65 3593->3594 3593->3598 3595 405d1a 3 API calls 3594->3595 3597 405e6a GetFileAttributesA 3595->3597 3597->3591 3598->3591 3598->3593 3599 405d61 2 API calls 3598->3599 3741 4066ff FindFirstFileA 3598->3741 3599->3593 3600->3456 3601->3424 3603 405ab3 3602->3603 3604 4038d2 ExitProcess 3603->3604 3605 405ac7 MessageBoxIndirectA 3603->3605 3605->3604 3607 406794 5 API calls 3606->3607 3608 4038df lstrcatA 3607->3608 3608->3449 3608->3450 3610 4059c0 GetLastError 3609->3610 3611 403921 3609->3611 3610->3611 3612 4059cf SetFileSecurityA 3610->3612 3611->3461 3612->3611 3613 4059e5 GetLastError 3612->3613 3613->3611 3615 405a00 GetLastError 3614->3615 3616 4059fc 3614->3616 3615->3616 3616->3461 3617->3462 3618->3474 3620 406182 3619->3620 3621 406175 3619->3621 3620->3474 3744 405ff1 3621->3744 3624 405a60 3623->3624 3625 405a54 CloseHandle 3623->3625 3624->3474 3625->3624 3627 401389 2 API calls 3626->3627 3628 401420 3627->3628 3628->3428 3630 405d34 lstrcatA 3629->3630 3631 4034b9 3629->3631 3630->3631 3631->3494 3632->3500 3633->3502 3635 405d6e 3634->3635 3636 405d73 CharPrevA 3635->3636 3637 402fc8 3635->3637 3636->3635 3636->3637 3638 406388 lstrcpynA 3637->3638 3638->3506 3640 402ee3 3639->3640 3641 402ecb 3639->3641 3644 402ef3 GetTickCount 3640->3644 3645 402eeb 3640->3645 3642 402ed4 DestroyWindow 3641->3642 3643 402edb 3641->3643 3642->3643 3643->3511 3643->3527 3673 403484 SetFilePointer 3643->3673 3644->3643 3647 402f01 3644->3647 3674 4067d0 3645->3674 3648 402f36 CreateDialogParamA ShowWindow 3647->3648 3649 402f09 3647->3649 3648->3643 3649->3643 3678 402ea1 3649->3678 3651 402f17 wsprintfA 3652 4054a9 24 API calls 3651->3652 3653 402f34 3652->3653 3653->3643 3654->3524 3656 403228 3655->3656 3657 40320c SetFilePointer 3655->3657 3681 403305 GetTickCount 3656->3681 3657->3656 3662 403305 42 API calls 3663 40325f 3662->3663 3664 4032c5 3663->3664 3665 4032cb ReadFile 3663->3665 3666 40326e 3663->3666 3664->3527 3665->3664 3666->3664 3668 405f93 ReadFile 3666->3668 3696 405fc2 WriteFile 3666->3696 3668->3666 3671 405f93 ReadFile 3670->3671 3672 403481 3671->3672 3672->3526 3673->3515 3675 4067ed PeekMessageA 3674->3675 3676 4067e3 DispatchMessageA 3675->3676 3677 4067fd 3675->3677 3676->3675 3677->3643 3679 402eb0 3678->3679 3680 402eb2 MulDiv 3678->3680 3679->3680 3680->3651 3682 403333 3681->3682 3683 40345d 3681->3683 3698 403484 SetFilePointer 3682->3698 3684 402ebd 32 API calls 3683->3684 3690 40322f 3684->3690 3686 40333e SetFilePointer 3691 403363 3686->3691 3687 40346e ReadFile 3687->3691 3689 402ebd 32 API calls 3689->3691 3690->3664 3694 405f93 ReadFile 3690->3694 3691->3687 3691->3689 3691->3690 3692 405fc2 WriteFile 3691->3692 3693 40343e SetFilePointer 3691->3693 3699 4068d9 3691->3699 3692->3691 3693->3683 3695 403248 3694->3695 3695->3662 3695->3664 3697 405fe0 3696->3697 3697->3666 3698->3686 3700 4068fe 3699->3700 3705 406906 3699->3705 3700->3691 3701 406996 GlobalAlloc 3701->3700 3701->3705 3702 40698d GlobalFree 3702->3701 3703 406a04 GlobalFree 3704 406a0d GlobalAlloc 3703->3704 3704->3700 3704->3705 3705->3700 3705->3701 3705->3702 3705->3703 3705->3704 3707 403e47 3706->3707 3723 4062e6 wsprintfA 3707->3723 3709 403eb8 3724 403eec 3709->3724 3711 403bf3 3711->3541 3712 403ebd 3712->3711 3713 40641b 17 API calls 3712->3713 3713->3712 3714->3537 3715->3543 3727 404451 3716->3727 3718 40559e 3722 4055c5 3718->3722 3730 401389 3718->3730 3719 404451 SendMessageA 3720 4055d7 OleUninitialize 3719->3720 3720->3572 3722->3719 3723->3709 3725 40641b 17 API calls 3724->3725 3726 403efa SetWindowTextA 3725->3726 3726->3712 3728 404469 3727->3728 3729 40445a SendMessageA 3727->3729 3728->3718 3729->3728 3732 401390 3730->3732 3731 4013fe 3731->3718 3732->3731 3733 4013cb MulDiv SendMessageA 3732->3733 3733->3732 3734->3588 3736 405dde 3735->3736 3737 405dce 3735->3737 3739 405d45 CharNextA 3736->3739 3740 405dfe 3736->3740 3737->3736 3738 405dd9 CharNextA 3737->3738 3738->3740 3739->3736 3740->3591 3740->3592 3742 406715 FindClose 3741->3742 3743 406720 3741->3743 3742->3743 3743->3598 3745 406017 3744->3745 3746 40603d GetShortPathNameA 3744->3746 3771 405f1b GetFileAttributesA CreateFileA 3745->3771 3748 406052 3746->3748 3749 40615c 3746->3749 3748->3749 3751 40605a wsprintfA 3748->3751 3749->3620 3750 406021 CloseHandle GetShortPathNameA 3750->3749 3753 406035 3750->3753 3752 40641b 17 API calls 3751->3752 3754 406082 3752->3754 3753->3746 3753->3749 3772 405f1b GetFileAttributesA CreateFileA 3754->3772 3756 40608f 3756->3749 3757 40609e GetFileSize GlobalAlloc 3756->3757 3758 4060c0 3757->3758 3759 406155 CloseHandle 3757->3759 3760 405f93 ReadFile 3758->3760 3759->3749 3761 4060c8 3760->3761 3761->3759 3773 405e80 lstrlenA 3761->3773 3764 4060f3 3766 405e80 4 API calls 3764->3766 3765 4060df lstrcpyA 3767 406101 3765->3767 3766->3767 3768 406138 SetFilePointer 3767->3768 3769 405fc2 WriteFile 3768->3769 3770 40614e GlobalFree 3769->3770 3770->3759 3771->3750 3772->3756 3774 405ec1 lstrlenA 3773->3774 3775 405ec9 3774->3775 3776 405e9a lstrcmpiA 3774->3776 3775->3764 3775->3765 3776->3775 3777 405eb8 CharNextA 3776->3777 3777->3774 4044 404850 4045 404860 4044->4045 4046 404886 4044->4046 4051 404405 4045->4051 4054 40446c 4046->4054 4049 40486d SetDlgItemTextA 4049->4046 4052 40641b 17 API calls 4051->4052 4053 404410 SetDlgItemTextA 4052->4053 4053->4049 4055 40452f 4054->4055 4056 404484 GetWindowLongA 4054->4056 4056->4055 4057 404499 4056->4057 4057->4055 4058 4044c6 GetSysColor 4057->4058 4059 4044c9 4057->4059 4058->4059 4060 4044d9 SetBkMode 4059->4060 4061 4044cf SetTextColor 4059->4061 4062 4044f1 GetSysColor 4060->4062 4063 4044f7 4060->4063 4061->4060 4062->4063 4064 4044fe SetBkColor 4063->4064 4065 404508 4063->4065 4064->4065 4065->4055 4066 404522 CreateBrushIndirect 4065->4066 4067 40451b DeleteObject 4065->4067 4066->4055 4067->4066 4075 4014d6 4076 402c17 17 API calls 4075->4076 4077 4014dc Sleep 4076->4077 4079 402ac5 4077->4079 3873 401759 3874 402c39 17 API calls 3873->3874 3875 401760 3874->3875 3876 401786 3875->3876 3877 40177e 3875->3877 3913 406388 lstrcpynA 3876->3913 3912 406388 lstrcpynA 3877->3912 3880 401784 3884 406666 5 API calls 3880->3884 3881 401791 3882 405d1a 3 API calls 3881->3882 3883 401797 lstrcatA 3882->3883 3883->3880 3899 4017a3 3884->3899 3885 4066ff 2 API calls 3885->3899 3886 405ef6 2 API calls 3886->3899 3888 4017ba CompareFileTime 3888->3899 3889 40187e 3890 4054a9 24 API calls 3889->3890 3892 401888 3890->3892 3891 401855 3893 4054a9 24 API calls 3891->3893 3900 40186a 3891->3900 3894 4031fd 44 API calls 3892->3894 3893->3900 3895 40189b 3894->3895 3896 4018af SetFileTime 3895->3896 3898 4018c1 FindCloseChangeNotification 3895->3898 3896->3898 3897 40641b 17 API calls 3897->3899 3898->3900 3901 4018d2 3898->3901 3899->3885 3899->3886 3899->3888 3899->3889 3899->3891 3899->3897 3902 406388 lstrcpynA 3899->3902 3907 405a9e MessageBoxIndirectA 3899->3907 3911 405f1b GetFileAttributesA CreateFileA 3899->3911 3903 4018d7 3901->3903 3904 4018ea 3901->3904 3902->3899 3905 40641b 17 API calls 3903->3905 3906 40641b 17 API calls 3904->3906 3908 4018df lstrcatA 3905->3908 3909 4018f2 3906->3909 3907->3899 3908->3909 3910 405a9e MessageBoxIndirectA 3909->3910 3910->3900 3911->3899 3912->3880 3913->3881 4080 401659 4081 402c39 17 API calls 4080->4081 4082 40165f 4081->4082 4083 4066ff 2 API calls 4082->4083 4084 401665 4083->4084 4085 401959 4086 402c17 17 API calls 4085->4086 4087 401960 4086->4087 4088 402c17 17 API calls 4087->4088 4089 40196d 4088->4089 4090 402c39 17 API calls 4089->4090 4091 401984 lstrlenA 4090->4091 4093 401994 4091->4093 4092 4019d4 4093->4092 4097 406388 lstrcpynA 4093->4097 4095 4019c4 4095->4092 4096 4019c9 lstrlenA 4095->4096 4096->4092 4097->4095 4098 401a5e 4099 402c17 17 API calls 4098->4099 4100 401a67 4099->4100 4101 402c17 17 API calls 4100->4101 4102 401a0e 4101->4102 4103 401563 4104 402a42 4103->4104 4107 4062e6 wsprintfA 4104->4107 4106 402a47 4107->4106 4108 401b63 4109 402c39 17 API calls 4108->4109 4110 401b6a 4109->4110 4111 402c17 17 API calls 4110->4111 4112 401b73 wsprintfA 4111->4112 4113 402ac5 4112->4113 4114 100013a4 4121 10001426 4114->4121 4122 100013d0 4121->4122 4124 1000142f 4121->4124 4126 100010d0 GetVersionExA 4122->4126 4123 1000145f GlobalFree 4123->4122 4124->4122 4124->4123 4125 1000144b lstrcpynA 4124->4125 4125->4123 4127 10001106 4126->4127 4142 100010fc 4126->4142 4128 10001122 LoadLibraryW 4127->4128 4129 1000110e 4127->4129 4131 1000113b GetProcAddress 4128->4131 4141 100011a5 4128->4141 4130 10001225 LoadLibraryA 4129->4130 4129->4142 4133 1000123d GetProcAddress GetProcAddress GetProcAddress 4130->4133 4130->4142 4132 1000114e LocalAlloc 4131->4132 4138 1000118e 4131->4138 4134 10001189 4132->4134 4136 10001323 FreeLibrary 4133->4136 4150 1000126b 4133->4150 4137 1000115c NtQuerySystemInformation 4134->4137 4134->4138 4135 1000119a FreeLibrary 4135->4141 4136->4142 4137->4135 4139 1000116f LocalFree 4137->4139 4138->4135 4139->4138 4143 10001180 LocalAlloc 4139->4143 4140 100011c1 WideCharToMultiByte lstrcmpiA 4140->4141 4141->4140 4141->4142 4144 10001217 LocalFree 4141->4144 4145 100011f7 4141->4145 4152 100014ba wsprintfA 4142->4152 4143->4134 4144->4142 4145->4141 4146 1000103f 8 API calls 4145->4146 4146->4145 4147 100012a2 lstrlenA 4147->4150 4148 1000131c CloseHandle 4148->4136 4149 100012c4 lstrcpynA lstrcmpiA 4149->4150 4150->4136 4150->4147 4150->4148 4150->4149 4151 1000103f 8 API calls 4150->4151 4151->4150 4155 10001475 4152->4155 4156 100013e3 4155->4156 4157 1000147e GlobalAlloc lstrcpynA 4155->4157 4157->4156 4158 401d65 4159 401d78 GetDlgItem 4158->4159 4160 401d6b 4158->4160 4161 401d72 4159->4161 4162 402c17 17 API calls 4160->4162 4163 401db9 GetClientRect LoadImageA SendMessageA 4161->4163 4164 402c39 17 API calls 4161->4164 4162->4161 4166 401e26 4163->4166 4167 401e1a 4163->4167 4164->4163 4167->4166 4168 401e1f DeleteObject 4167->4168 4168->4166 3376 10001426 3377 1000146f 3376->3377 3379 1000142f 3376->3379 3378 1000145f GlobalFree 3378->3377 3379->3377 3379->3378 3380 1000144b lstrcpynA 3379->3380 3380->3378 4169 402766 4170 40276c 4169->4170 4171 402774 FindClose 4170->4171 4172 402ac5 4170->4172 4171->4172 4173 4055e7 4174 405792 4173->4174 4175 405609 GetDlgItem GetDlgItem GetDlgItem 4173->4175 4177 40579a GetDlgItem CreateThread CloseHandle 4174->4177 4180 4057c2 4174->4180 4218 40443a SendMessageA 4175->4218 4177->4180 4178 405679 4184 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4178->4184 4179 4057f0 4183 40584b 4179->4183 4186 405800 4179->4186 4187 405824 ShowWindow 4179->4187 4180->4179 4181 405811 4180->4181 4182 4057d8 ShowWindow ShowWindow 4180->4182 4188 40446c 8 API calls 4181->4188 4220 40443a SendMessageA 4182->4220 4183->4181 4193 405858 SendMessageA 4183->4193 4191 4056d2 SendMessageA SendMessageA 4184->4191 4192 4056ee 4184->4192 4221 4043de 4186->4221 4189 405844 4187->4189 4190 405836 4187->4190 4195 40581d 4188->4195 4197 4043de SendMessageA 4189->4197 4196 4054a9 24 API calls 4190->4196 4191->4192 4198 405701 4192->4198 4199 4056f3 SendMessageA 4192->4199 4193->4195 4200 405871 CreatePopupMenu 4193->4200 4196->4189 4197->4183 4202 404405 18 API calls 4198->4202 4199->4198 4201 40641b 17 API calls 4200->4201 4203 405881 AppendMenuA 4201->4203 4204 405711 4202->4204 4205 4058b2 TrackPopupMenu 4203->4205 4206 40589f GetWindowRect 4203->4206 4207 40571a ShowWindow 4204->4207 4208 40574e GetDlgItem SendMessageA 4204->4208 4205->4195 4210 4058ce 4205->4210 4206->4205 4211 405730 ShowWindow 4207->4211 4212 40573d 4207->4212 4208->4195 4209 405775 SendMessageA SendMessageA 4208->4209 4209->4195 4213 4058ed SendMessageA 4210->4213 4211->4212 4219 40443a SendMessageA 4212->4219 4213->4213 4214 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4213->4214 4216 40592c SendMessageA 4214->4216 4216->4216 4217 40594e GlobalUnlock SetClipboardData CloseClipboard 4216->4217 4217->4195 4218->4178 4219->4208 4220->4179 4222 4043e5 4221->4222 4223 4043eb SendMessageA 4221->4223 4222->4223 4223->4181 4224 404be8 4225 404c14 4224->4225 4226 404bf8 4224->4226 4228 404c47 4225->4228 4229 404c1a SHGetPathFromIDListA 4225->4229 4235 405a82 GetDlgItemTextA 4226->4235 4231 404c31 SendMessageA 4229->4231 4232 404c2a 4229->4232 4230 404c05 SendMessageA 4230->4225 4231->4228 4233 40140b 2 API calls 4232->4233 4233->4231 4235->4230 4236 4023e8 4237 402c39 17 API calls 4236->4237 4238 4023f9 4237->4238 4239 402c39 17 API calls 4238->4239 4240 402402 4239->4240 4241 402c39 17 API calls 4240->4241 4242 40240c GetPrivateProfileStringA 4241->4242 4243 4027e8 4244 402c39 17 API calls 4243->4244 4245 4027f4 4244->4245 4246 40280a 4245->4246 4247 402c39 17 API calls 4245->4247 4248 405ef6 2 API calls 4246->4248 4247->4246 4249 402810 4248->4249 4271 405f1b GetFileAttributesA CreateFileA 4249->4271 4251 40281d 4252 4028d9 4251->4252 4253 4028c1 4251->4253 4254 402838 GlobalAlloc 4251->4254 4255 4028e0 DeleteFileA 4252->4255 4256 4028f3 4252->4256 4258 4031fd 44 API calls 4253->4258 4254->4253 4257 402851 4254->4257 4255->4256 4272 403484 SetFilePointer 4257->4272 4260 4028ce CloseHandle 4258->4260 4260->4252 4261 402857 4262 40346e ReadFile 4261->4262 4263 402860 GlobalAlloc 4262->4263 4264 402870 4263->4264 4265 4028aa 4263->4265 4267 4031fd 44 API calls 4264->4267 4266 405fc2 WriteFile 4265->4266 4268 4028b6 GlobalFree 4266->4268 4270 40287d 4267->4270 4268->4253 4269 4028a1 GlobalFree 4269->4265 4270->4269 4271->4251 4272->4261 4273 40166a 4274 402c39 17 API calls 4273->4274 4275 401671 4274->4275 4276 402c39 17 API calls 4275->4276 4277 40167a 4276->4277 4278 402c39 17 API calls 4277->4278 4279 401683 MoveFileA 4278->4279 4280 401696 4279->4280 4286 40168f 4279->4286 4282 4066ff 2 API calls 4280->4282 4284 4022ea 4280->4284 4281 401423 24 API calls 4281->4284 4283 4016a5 4282->4283 4283->4284 4285 406161 36 API calls 4283->4285 4285->4286 4286->4281 4294 4019ed 4295 402c39 17 API calls 4294->4295 4296 4019f4 4295->4296 4297 402c39 17 API calls 4296->4297 4298 4019fd 4297->4298 4299 401a04 lstrcmpiA 4298->4299 4300 401a16 lstrcmpA 4298->4300 4301 401a0a 4299->4301 4300->4301 4302 40156f 4303 401586 4302->4303 4304 40157f ShowWindow 4302->4304 4305 401594 ShowWindow 4303->4305 4306 402ac5 4303->4306 4304->4303 4305->4306 4307 404570 4308 404586 4307->4308 4313 404692 4307->4313 4311 404405 18 API calls 4308->4311 4309 404701 4310 4047cb 4309->4310 4312 40470b GetDlgItem 4309->4312 4319 40446c 8 API calls 4310->4319 4314 4045dc 4311->4314 4315 404721 4312->4315 4316 404789 4312->4316 4313->4309 4313->4310 4317 4046d6 GetDlgItem SendMessageA 4313->4317 4318 404405 18 API calls 4314->4318 4315->4316 4320 404747 SendMessageA LoadCursorA SetCursor 4315->4320 4316->4310 4321 40479b 4316->4321 4340 404427 EnableWindow 4317->4340 4323 4045e9 CheckDlgButton 4318->4323 4324 4047c6 4319->4324 4344 404814 4320->4344 4326 4047a1 SendMessageA 4321->4326 4327 4047b2 4321->4327 4338 404427 EnableWindow 4323->4338 4326->4327 4327->4324 4331 4047b8 SendMessageA 4327->4331 4328 4046fc 4341 4047f0 4328->4341 4331->4324 4333 404607 GetDlgItem 4339 40443a SendMessageA 4333->4339 4335 40461d SendMessageA 4336 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4335->4336 4337 40463b GetSysColor 4335->4337 4336->4324 4337->4336 4338->4333 4339->4335 4340->4328 4342 404803 SendMessageA 4341->4342 4343 4047fe 4341->4343 4342->4309 4343->4342 4347 405a64 ShellExecuteExA 4344->4347 4346 40477a LoadCursorA SetCursor 4346->4316 4347->4346 4348 402173 4349 402c39 17 API calls 4348->4349 4350 40217a 4349->4350 4351 402c39 17 API calls 4350->4351 4352 402184 4351->4352 4353 402c39 17 API calls 4352->4353 4354 40218e 4353->4354 4355 402c39 17 API calls 4354->4355 4356 40219b 4355->4356 4357 402c39 17 API calls 4356->4357 4358 4021a5 4357->4358 4359 4021e7 CoCreateInstance 4358->4359 4360 402c39 17 API calls 4358->4360 4363 402206 4359->4363 4365 4022b4 4359->4365 4360->4359 4361 401423 24 API calls 4362 4022ea 4361->4362 4364 402294 MultiByteToWideChar 4363->4364 4363->4365 4364->4365 4365->4361 4365->4362 4366 4022f3 4367 402c39 17 API calls 4366->4367 4368 4022f9 4367->4368 4369 402c39 17 API calls 4368->4369 4370 402302 4369->4370 4371 402c39 17 API calls 4370->4371 4372 40230b 4371->4372 4373 4066ff 2 API calls 4372->4373 4374 402314 4373->4374 4375 402325 lstrlenA lstrlenA 4374->4375 4376 402318 4374->4376 4378 4054a9 24 API calls 4375->4378 4377 4054a9 24 API calls 4376->4377 4379 402320 4376->4379 4377->4379 4380 402361 SHFileOperationA 4378->4380 4380->4376 4380->4379 4381 4014f4 SetForegroundWindow 4382 402ac5 4381->4382 4383 402375 4384 40237c 4383->4384 4388 40238f 4383->4388 4385 40641b 17 API calls 4384->4385 4386 402389 4385->4386 4387 405a9e MessageBoxIndirectA 4386->4387 4387->4388 4389 402675 4390 402c17 17 API calls 4389->4390 4391 40267f 4390->4391 4392 405f93 ReadFile 4391->4392 4393 4026ef 4391->4393 4396 4026ff 4391->4396 4397 4026ed 4391->4397 4392->4391 4398 4062e6 wsprintfA 4393->4398 4395 402715 SetFilePointer 4395->4397 4396->4395 4396->4397 4398->4397 4399 4029f6 4400 402a49 4399->4400 4401 4029fd 4399->4401 4402 406794 5 API calls 4400->4402 4403 402c17 17 API calls 4401->4403 4409 402a47 4401->4409 4404 402a50 4402->4404 4405 402a0b 4403->4405 4406 402c39 17 API calls 4404->4406 4407 402c17 17 API calls 4405->4407 4408 402a59 4406->4408 4411 402a1a 4407->4411 4408->4409 4417 4063db 4408->4417 4416 4062e6 wsprintfA 4411->4416 4413 402a67 4413->4409 4421 4063c5 4413->4421 4416->4409 4419 4063e6 4417->4419 4418 406409 IIDFromString 4418->4413 4419->4418 4420 406402 4419->4420 4420->4413 4424 4063aa WideCharToMultiByte 4421->4424 4423 402a88 CoTaskMemFree 4423->4409 4424->4423 4425 401ef9 4426 402c39 17 API calls 4425->4426 4427 401eff 4426->4427 4428 402c39 17 API calls 4427->4428 4429 401f08 4428->4429 4430 402c39 17 API calls 4429->4430 4431 401f11 4430->4431 4432 402c39 17 API calls 4431->4432 4433 401f1a 4432->4433 4434 401423 24 API calls 4433->4434 4435 401f21 4434->4435 4442 405a64 ShellExecuteExA 4435->4442 4437 401f5c 4438 406809 5 API calls 4437->4438 4439 4027c8 4437->4439 4440 401f76 CloseHandle 4438->4440 4440->4439 4442->4437 3914 401f7b 3915 402c39 17 API calls 3914->3915 3916 401f81 3915->3916 3917 4054a9 24 API calls 3916->3917 3918 401f8b 3917->3918 3919 405a21 2 API calls 3918->3919 3920 401f91 3919->3920 3923 4027c8 3920->3923 3928 401fb2 CloseHandle 3920->3928 3929 406809 WaitForSingleObject 3920->3929 3924 401fa6 3925 401fb4 3924->3925 3926 401fab 3924->3926 3925->3928 3934 4062e6 wsprintfA 3926->3934 3928->3923 3930 406823 3929->3930 3931 406835 GetExitCodeProcess 3930->3931 3932 4067d0 2 API calls 3930->3932 3931->3924 3933 40682a WaitForSingleObject 3932->3933 3933->3930 3934->3928 4450 401ffb 4451 402c39 17 API calls 4450->4451 4452 402002 4451->4452 4453 406794 5 API calls 4452->4453 4454 402011 4453->4454 4455 402099 4454->4455 4456 402029 GlobalAlloc 4454->4456 4456->4455 4457 40203d 4456->4457 4458 406794 5 API calls 4457->4458 4459 402044 4458->4459 4460 406794 5 API calls 4459->4460 4461 40204e 4460->4461 4461->4455 4465 4062e6 wsprintfA 4461->4465 4463 402089 4466 4062e6 wsprintfA 4463->4466 4465->4463 4466->4455 3956 403a7c 3957 403a97 3956->3957 3958 403a8d CloseHandle 3956->3958 3959 403aa1 CloseHandle 3957->3959 3960 403aab 3957->3960 3958->3957 3959->3960 3965 403ad9 3960->3965 3963 405b4a 67 API calls 3964 403abc 3963->3964 3966 403ae7 3965->3966 3967 403ab0 3966->3967 3968 403aec FreeLibrary GlobalFree 3966->3968 3967->3963 3968->3967 3968->3968 4467 4018fd 4468 401934 4467->4468 4469 402c39 17 API calls 4468->4469 4470 401939 4469->4470 4471 405b4a 67 API calls 4470->4471 4472 401942 4471->4472 3969 40247e 3970 402c39 17 API calls 3969->3970 3971 402490 3970->3971 3972 402c39 17 API calls 3971->3972 3973 40249a 3972->3973 3986 402cc9 3973->3986 3976 402ac5 3977 4024cf 3979 4024db 3977->3979 3990 402c17 3977->3990 3978 402c39 17 API calls 3980 4024c8 lstrlenA 3978->3980 3982 4024fd RegSetValueExA 3979->3982 3983 4031fd 44 API calls 3979->3983 3980->3977 3984 402513 RegCloseKey 3982->3984 3983->3982 3984->3976 3987 402ce4 3986->3987 3993 40623c 3987->3993 3991 40641b 17 API calls 3990->3991 3992 402c2c 3991->3992 3992->3979 3994 40624b 3993->3994 3995 4024aa 3994->3995 3996 406256 RegCreateKeyExA 3994->3996 3995->3976 3995->3977 3995->3978 3996->3995 4473 401cfe 4474 402c17 17 API calls 4473->4474 4475 401d04 IsWindow 4474->4475 4476 401a0e 4475->4476 4477 401000 4478 401037 BeginPaint GetClientRect 4477->4478 4479 40100c DefWindowProcA 4477->4479 4481 4010f3 4478->4481 4482 401179 4479->4482 4483 401073 CreateBrushIndirect FillRect DeleteObject 4481->4483 4484 4010fc 4481->4484 4483->4481 4485 401102 CreateFontIndirectA 4484->4485 4486 401167 EndPaint 4484->4486 4485->4486 4487 401112 6 API calls 4485->4487 4486->4482 4487->4486 4488 401900 4489 402c39 17 API calls 4488->4489 4490 401907 4489->4490 4491 405a9e MessageBoxIndirectA 4490->4491 4492 401910 4491->4492 4493 402780 4494 402786 4493->4494 4495 40278a FindNextFileA 4494->4495 4496 40279c 4494->4496 4495->4496 4497 4027db 4495->4497 4499 406388 lstrcpynA 4497->4499 4499->4496 4500 401502 4501 40150a 4500->4501 4503 40151d 4500->4503 4502 402c17 17 API calls 4501->4502 4502->4503 4504 401b87 4505 401b94 4504->4505 4506 401bd8 4504->4506 4507 401c1c 4505->4507 4513 401bab 4505->4513 4508 401c01 GlobalAlloc 4506->4508 4509 401bdc 4506->4509 4511 40641b 17 API calls 4507->4511 4518 40238f 4507->4518 4510 40641b 17 API calls 4508->4510 4509->4518 4525 406388 lstrcpynA 4509->4525 4510->4507 4512 402389 4511->4512 4517 405a9e MessageBoxIndirectA 4512->4517 4523 406388 lstrcpynA 4513->4523 4516 401bee GlobalFree 4516->4518 4517->4518 4519 401bba 4524 406388 lstrcpynA 4519->4524 4521 401bc9 4526 406388 lstrcpynA 4521->4526 4523->4519 4524->4521 4525->4516 4526->4518 4527 406a88 4531 40690c 4527->4531 4528 407277 4529 406996 GlobalAlloc 4529->4528 4529->4531 4530 40698d GlobalFree 4530->4529 4531->4528 4531->4529 4531->4530 4532 406a04 GlobalFree 4531->4532 4533 406a0d GlobalAlloc 4531->4533 4532->4533 4533->4528 4533->4531 3381 401389 3383 401390 3381->3383 3382 4013fe 3383->3382 3384 4013cb MulDiv SendMessageA 3383->3384 3384->3383 4534 404e0a GetDlgItem GetDlgItem 4535 404e60 7 API calls 4534->4535 4542 405087 4534->4542 4536 404f08 DeleteObject 4535->4536 4537 404efc SendMessageA 4535->4537 4538 404f13 4536->4538 4537->4536 4540 404f4a 4538->4540 4543 40641b 17 API calls 4538->4543 4539 405169 4541 405215 4539->4541 4545 40507a 4539->4545 4551 4051c2 SendMessageA 4539->4551 4544 404405 18 API calls 4540->4544 4546 405227 4541->4546 4547 40521f SendMessageA 4541->4547 4542->4539 4566 4050f6 4542->4566 4588 404d58 SendMessageA 4542->4588 4548 404f2c SendMessageA SendMessageA 4543->4548 4549 404f5e 4544->4549 4553 40446c 8 API calls 4545->4553 4558 405240 4546->4558 4559 405239 ImageList_Destroy 4546->4559 4563 405250 4546->4563 4547->4546 4548->4538 4550 404405 18 API calls 4549->4550 4567 404f6f 4550->4567 4551->4545 4556 4051d7 SendMessageA 4551->4556 4552 40515b SendMessageA 4552->4539 4557 405416 4553->4557 4555 4053ca 4555->4545 4564 4053dc ShowWindow GetDlgItem ShowWindow 4555->4564 4561 4051ea 4556->4561 4562 405249 GlobalFree 4558->4562 4558->4563 4559->4558 4560 405049 GetWindowLongA SetWindowLongA 4565 405062 4560->4565 4573 4051fb SendMessageA 4561->4573 4562->4563 4563->4555 4568 40528b 4563->4568 4593 404dd8 4563->4593 4564->4545 4569 405067 ShowWindow 4565->4569 4570 40507f 4565->4570 4566->4539 4566->4552 4567->4560 4572 404fc1 SendMessageA 4567->4572 4574 405044 4567->4574 4576 405013 SendMessageA 4567->4576 4577 404fff SendMessageA 4567->4577 4581 4052b9 SendMessageA 4568->4581 4585 4052cf 4568->4585 4586 40443a SendMessageA 4569->4586 4587 40443a SendMessageA 4570->4587 4572->4567 4573->4541 4574->4560 4574->4565 4576->4567 4577->4567 4579 405395 4580 4053a0 InvalidateRect 4579->4580 4582 4053ac 4579->4582 4580->4582 4581->4585 4582->4555 4602 404d13 4582->4602 4584 405343 SendMessageA SendMessageA 4584->4585 4585->4579 4585->4584 4586->4545 4587->4542 4589 404db7 SendMessageA 4588->4589 4590 404d7b GetMessagePos ScreenToClient SendMessageA 4588->4590 4592 404daf 4589->4592 4591 404db4 4590->4591 4590->4592 4591->4589 4592->4566 4605 406388 lstrcpynA 4593->4605 4595 404deb 4606 4062e6 wsprintfA 4595->4606 4597 404df5 4598 40140b 2 API calls 4597->4598 4599 404dfe 4598->4599 4607 406388 lstrcpynA 4599->4607 4601 404e05 4601->4568 4608 404c4e 4602->4608 4604 404d28 4604->4555 4605->4595 4606->4597 4607->4601 4609 404c64 4608->4609 4610 40641b 17 API calls 4609->4610 4611 404cc8 4610->4611 4612 40641b 17 API calls 4611->4612 4613 404cd3 4612->4613 4614 40641b 17 API calls 4613->4614 4615 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4614->4615 4615->4604 4616 40298a 4617 402c17 17 API calls 4616->4617 4619 402990 4617->4619 4618 40641b 17 API calls 4620 4027c8 4618->4620 4619->4618 4619->4620 4621 403f0b 4622 403f23 4621->4622 4623 404084 4621->4623 4622->4623 4624 403f2f 4622->4624 4625 4040d5 4623->4625 4626 404095 GetDlgItem GetDlgItem 4623->4626 4627 403f3a SetWindowPos 4624->4627 4628 403f4d 4624->4628 4630 40412f 4625->4630 4641 401389 2 API calls 4625->4641 4629 404405 18 API calls 4626->4629 4627->4628 4632 403f56 ShowWindow 4628->4632 4633 403f98 4628->4633 4634 4040bf SetClassLongA 4629->4634 4631 404451 SendMessageA 4630->4631 4635 40407f 4630->4635 4662 404141 4631->4662 4636 404042 4632->4636 4637 403f76 GetWindowLongA 4632->4637 4638 403fa0 DestroyWindow 4633->4638 4639 403fb7 4633->4639 4640 40140b 2 API calls 4634->4640 4642 40446c 8 API calls 4636->4642 4637->4636 4643 403f8f ShowWindow 4637->4643 4691 40438e 4638->4691 4644 403fbc SetWindowLongA 4639->4644 4645 403fcd 4639->4645 4640->4625 4646 404107 4641->4646 4642->4635 4643->4633 4644->4635 4645->4636 4650 403fd9 GetDlgItem 4645->4650 4646->4630 4647 40410b SendMessageA 4646->4647 4647->4635 4648 40140b 2 API calls 4648->4662 4649 404390 DestroyWindow EndDialog 4649->4691 4652 404007 4650->4652 4653 403fea SendMessageA IsWindowEnabled 4650->4653 4651 4043bf ShowWindow 4651->4635 4655 404014 4652->4655 4656 40405b SendMessageA 4652->4656 4657 404027 4652->4657 4665 40400c 4652->4665 4653->4635 4653->4652 4654 40641b 17 API calls 4654->4662 4655->4656 4655->4665 4656->4636 4660 404044 4657->4660 4661 40402f 4657->4661 4658 4043de SendMessageA 4658->4636 4659 404405 18 API calls 4659->4662 4664 40140b 2 API calls 4660->4664 4663 40140b 2 API calls 4661->4663 4662->4635 4662->4648 4662->4649 4662->4654 4662->4659 4666 404405 18 API calls 4662->4666 4682 4042d0 DestroyWindow 4662->4682 4663->4665 4664->4665 4665->4636 4665->4658 4667 4041bc GetDlgItem 4666->4667 4668 4041d1 4667->4668 4669 4041d9 ShowWindow EnableWindow 4667->4669 4668->4669 4692 404427 EnableWindow 4669->4692 4671 404203 EnableWindow 4676 404217 4671->4676 4672 40421c GetSystemMenu EnableMenuItem SendMessageA 4673 40424c SendMessageA 4672->4673 4672->4676 4673->4676 4675 403eec 18 API calls 4675->4676 4676->4672 4676->4675 4693 40443a SendMessageA 4676->4693 4694 406388 lstrcpynA 4676->4694 4678 40427b lstrlenA 4679 40641b 17 API calls 4678->4679 4680 40428c SetWindowTextA 4679->4680 4681 401389 2 API calls 4680->4681 4681->4662 4683 4042ea CreateDialogParamA 4682->4683 4682->4691 4684 40431d 4683->4684 4683->4691 4685 404405 18 API calls 4684->4685 4686 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4685->4686 4687 401389 2 API calls 4686->4687 4688 40436e 4687->4688 4688->4635 4689 404376 ShowWindow 4688->4689 4690 404451 SendMessageA 4689->4690 4690->4691 4691->4635 4691->4651 4692->4671 4693->4676 4694->4678 4695 40260c 4696 402c39 17 API calls 4695->4696 4697 402613 4696->4697 4700 405f1b GetFileAttributesA CreateFileA 4697->4700 4699 40261f 4700->4699 3778 100010d0 GetVersionExA 3779 10001106 3778->3779 3794 100010fc 3778->3794 3780 10001122 LoadLibraryW 3779->3780 3781 1000110e 3779->3781 3783 1000113b GetProcAddress 3780->3783 3793 100011a5 3780->3793 3782 10001225 LoadLibraryA 3781->3782 3781->3794 3785 1000123d GetProcAddress GetProcAddress GetProcAddress 3782->3785 3782->3794 3784 1000114e LocalAlloc 3783->3784 3790 1000118e 3783->3790 3786 10001189 3784->3786 3788 10001323 FreeLibrary 3785->3788 3802 1000126b 3785->3802 3789 1000115c NtQuerySystemInformation 3786->3789 3786->3790 3787 1000119a FreeLibrary 3787->3793 3788->3794 3789->3787 3791 1000116f LocalFree 3789->3791 3790->3787 3791->3790 3795 10001180 LocalAlloc 3791->3795 3792 100011c1 WideCharToMultiByte lstrcmpiA 3792->3793 3793->3792 3793->3794 3796 10001217 LocalFree 3793->3796 3797 100011f7 3793->3797 3795->3786 3796->3794 3797->3793 3804 1000103f OpenProcess 3797->3804 3799 100012a2 lstrlenA 3799->3802 3800 1000131c CloseHandle 3800->3788 3801 100012c4 lstrcpynA lstrcmpiA 3801->3802 3802->3788 3802->3799 3802->3800 3802->3801 3803 1000103f 8 API calls 3802->3803 3803->3802 3805 10001060 3804->3805 3806 100010cb 3804->3806 3807 1000106b EnumWindows 3805->3807 3808 100010ac TerminateProcess 3805->3808 3806->3797 3807->3808 3809 1000107f GetExitCodeProcess 3807->3809 3814 10001007 GetWindowThreadProcessId 3807->3814 3810 100010be CloseHandle 3808->3810 3811 100010a7 3808->3811 3809->3811 3812 1000108e 3809->3812 3810->3806 3811->3810 3812->3811 3813 10001097 WaitForSingleObject 3812->3813 3813->3808 3813->3811 3815 10001024 PostMessageA 3814->3815 3816 10001036 3814->3816 3815->3816 4701 401490 4702 4054a9 24 API calls 4701->4702 4703 401497 4702->4703 4704 402590 4705 402c79 17 API calls 4704->4705 4706 40259a 4705->4706 4707 402c17 17 API calls 4706->4707 4708 4025a3 4707->4708 4709 4027c8 4708->4709 4710 4025ca RegEnumValueA 4708->4710 4711 4025be RegEnumKeyA 4708->4711 4712 4025df RegCloseKey 4710->4712 4711->4712 4712->4709 4714 406d91 4716 40690c 4714->4716 4715 407277 4716->4715 4716->4716 4717 406996 GlobalAlloc 4716->4717 4718 40698d GlobalFree 4716->4718 4719 406a04 GlobalFree 4716->4719 4720 406a0d GlobalAlloc 4716->4720 4717->4715 4717->4716 4718->4717 4719->4720 4720->4715 4720->4716 4721 404897 4722 4048c3 4721->4722 4723 4048d4 4721->4723 4782 405a82 GetDlgItemTextA 4722->4782 4725 4048e0 GetDlgItem 4723->4725 4726 40493f 4723->4726 4728 4048f4 4725->4728 4733 40641b 17 API calls 4726->4733 4742 404a23 4726->4742 4780 404bcd 4726->4780 4727 4048ce 4729 406666 5 API calls 4727->4729 4731 404908 SetWindowTextA 4728->4731 4732 405db3 4 API calls 4728->4732 4729->4723 4735 404405 18 API calls 4731->4735 4737 4048fe 4732->4737 4738 4049b3 SHBrowseForFolderA 4733->4738 4734 404a53 4739 405e08 18 API calls 4734->4739 4740 404924 4735->4740 4736 40446c 8 API calls 4741 404be1 4736->4741 4737->4731 4746 405d1a 3 API calls 4737->4746 4738->4742 4743 4049cb CoTaskMemFree 4738->4743 4744 404a59 4739->4744 4745 404405 18 API calls 4740->4745 4742->4780 4784 405a82 GetDlgItemTextA 4742->4784 4747 405d1a 3 API calls 4743->4747 4785 406388 lstrcpynA 4744->4785 4748 404932 4745->4748 4746->4731 4749 4049d8 4747->4749 4783 40443a SendMessageA 4748->4783 4752 404a0f SetDlgItemTextA 4749->4752 4757 40641b 17 API calls 4749->4757 4752->4742 4753 404938 4755 406794 5 API calls 4753->4755 4754 404a70 4756 406794 5 API calls 4754->4756 4755->4726 4763 404a77 4756->4763 4758 4049f7 lstrcmpiA 4757->4758 4758->4752 4761 404a08 lstrcatA 4758->4761 4759 404ab3 4786 406388 lstrcpynA 4759->4786 4761->4752 4762 404aba 4764 405db3 4 API calls 4762->4764 4763->4759 4767 405d61 2 API calls 4763->4767 4769 404b0b 4763->4769 4765 404ac0 GetDiskFreeSpaceA 4764->4765 4768 404ae4 MulDiv 4765->4768 4765->4769 4767->4763 4768->4769 4770 404b7c 4769->4770 4772 404d13 20 API calls 4769->4772 4771 404b9f 4770->4771 4773 40140b 2 API calls 4770->4773 4787 404427 EnableWindow 4771->4787 4774 404b69 4772->4774 4773->4771 4776 404b7e SetDlgItemTextA 4774->4776 4777 404b6e 4774->4777 4776->4770 4779 404c4e 20 API calls 4777->4779 4778 404bbb 4778->4780 4781 4047f0 SendMessageA 4778->4781 4779->4770 4780->4736 4781->4780 4782->4727 4783->4753 4784->4734 4785->4754 4786->4762 4787->4778 4788 40541d 4789 405441 4788->4789 4790 40542d 4788->4790 4793 405449 IsWindowVisible 4789->4793 4799 405460 4789->4799 4791 405433 4790->4791 4792 40548a 4790->4792 4794 404451 SendMessageA 4791->4794 4796 40548f CallWindowProcA 4792->4796 4793->4792 4795 405456 4793->4795 4797 40543d 4794->4797 4798 404d58 5 API calls 4795->4798 4796->4797 4798->4799 4799->4796 4800 404dd8 4 API calls 4799->4800 4800->4792 4801 40149d 4802 4014ab PostQuitMessage 4801->4802 4803 40238f 4801->4803 4802->4803 4804 40159d 4805 402c39 17 API calls 4804->4805 4806 4015a4 SetFileAttributesA 4805->4806 4807 4015b6 4806->4807 3997 40251e 4008 402c79 3997->4008 4000 402c39 17 API calls 4001 402531 4000->4001 4002 40253b RegQueryValueExA 4001->4002 4006 4027c8 4001->4006 4003 402561 RegCloseKey 4002->4003 4004 40255b 4002->4004 4003->4006 4004->4003 4013 4062e6 wsprintfA 4004->4013 4009 402c39 17 API calls 4008->4009 4010 402c90 4009->4010 4011 40620e RegOpenKeyExA 4010->4011 4012 402528 4011->4012 4012->4000 4013->4003 4808 401a1e 4809 402c39 17 API calls 4808->4809 4810 401a27 ExpandEnvironmentStringsA 4809->4810 4811 401a3b 4810->4811 4813 401a4e 4810->4813 4812 401a40 lstrcmpA 4811->4812 4811->4813 4812->4813 4819 40171f 4820 402c39 17 API calls 4819->4820 4821 401726 SearchPathA 4820->4821 4822 401741 4821->4822 4823 401d1f 4824 402c17 17 API calls 4823->4824 4825 401d26 4824->4825 4826 402c17 17 API calls 4825->4826 4827 401d32 GetDlgItem 4826->4827 4828 402628 4827->4828 4829 402aa0 SendMessageA 4830 402ac5 4829->4830 4831 402aba InvalidateRect 4829->4831 4831->4830 4832 10001363 4833 10001426 2 API calls 4832->4833 4834 1000138f 4833->4834 4835 100010d0 28 API calls 4834->4835 4836 10001399 4835->4836 4837 100014ba 3 API calls 4836->4837 4838 100013a2 4837->4838 4839 4023a4 4840 4023b2 4839->4840 4841 4023ac 4839->4841 4843 4023c2 4840->4843 4845 402c39 17 API calls 4840->4845 4842 402c39 17 API calls 4841->4842 4842->4840 4844 4023d0 4843->4844 4846 402c39 17 API calls 4843->4846 4847 402c39 17 API calls 4844->4847 4845->4843 4846->4844 4848 4023d9 WritePrivateProfileStringA 4847->4848 3286 4020a5 3287 4020b7 3286->3287 3288 402165 3286->3288 3304 402c39 3287->3304 3290 401423 24 API calls 3288->3290 3292 4022ea 3290->3292 3293 402c39 17 API calls 3294 4020c7 3293->3294 3295 4020dc LoadLibraryExA 3294->3295 3296 4020cf GetModuleHandleA 3294->3296 3295->3288 3297 4020ec GetProcAddress 3295->3297 3296->3295 3296->3297 3298 402138 3297->3298 3299 4020fb 3297->3299 3313 4054a9 3298->3313 3302 40210b 3299->3302 3310 401423 3299->3310 3302->3292 3303 402159 FreeLibrary 3302->3303 3303->3292 3305 402c45 3304->3305 3324 40641b 3305->3324 3307 4020be 3307->3293 3311 4054a9 24 API calls 3310->3311 3312 401431 3311->3312 3312->3302 3314 4054c4 3313->3314 3323 405567 3313->3323 3315 4054e1 lstrlenA 3314->3315 3316 40641b 17 API calls 3314->3316 3317 40550a 3315->3317 3318 4054ef lstrlenA 3315->3318 3316->3315 3320 405510 SetWindowTextA 3317->3320 3321 40551d 3317->3321 3319 405501 lstrcatA 3318->3319 3318->3323 3319->3317 3320->3321 3322 405523 SendMessageA SendMessageA SendMessageA 3321->3322 3321->3323 3322->3323 3323->3302 3325 406428 3324->3325 3326 40664d 3325->3326 3329 406627 lstrlenA 3325->3329 3330 40641b 10 API calls 3325->3330 3334 406543 GetSystemDirectoryA 3325->3334 3335 406556 GetWindowsDirectoryA 3325->3335 3336 406666 5 API calls 3325->3336 3337 40641b 10 API calls 3325->3337 3338 4065d0 lstrcatA 3325->3338 3339 40658a SHGetSpecialFolderLocation 3325->3339 3350 40626f 3325->3350 3355 4062e6 wsprintfA 3325->3355 3356 406388 lstrcpynA 3325->3356 3327 402c66 3326->3327 3357 406388 lstrcpynA 3326->3357 3327->3307 3341 406666 3327->3341 3329->3325 3330->3329 3334->3325 3335->3325 3336->3325 3337->3325 3338->3325 3339->3325 3340 4065a2 SHGetPathFromIDListA CoTaskMemFree 3339->3340 3340->3325 3348 406672 3341->3348 3342 4066da 3343 4066de CharPrevA 3342->3343 3345 4066f9 3342->3345 3343->3342 3344 4066cf CharNextA 3344->3342 3344->3348 3345->3307 3347 4066bd CharNextA 3347->3348 3348->3342 3348->3344 3348->3347 3349 4066ca CharNextA 3348->3349 3362 405d45 3348->3362 3349->3344 3358 40620e 3350->3358 3353 4062a3 RegQueryValueExA RegCloseKey 3354 4062d2 3353->3354 3354->3325 3355->3325 3356->3325 3357->3327 3359 40621d 3358->3359 3360 406221 3359->3360 3361 406226 RegOpenKeyExA 3359->3361 3360->3353 3360->3354 3361->3360 3363 405d4b 3362->3363 3364 405d5e 3363->3364 3365 405d51 CharNextA 3363->3365 3364->3348 3365->3363 4849 402e25 4850 402e34 SetTimer 4849->4850 4851 402e4d 4849->4851 4850->4851 4852 402e9b 4851->4852 4853 402ea1 MulDiv 4851->4853 4854 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4853->4854 4854->4852 4870 402429 4871 402430 4870->4871 4872 40245b 4870->4872 4873 402c79 17 API calls 4871->4873 4874 402c39 17 API calls 4872->4874 4875 402437 4873->4875 4876 402462 4874->4876 4878 402c39 17 API calls 4875->4878 4879 40246f 4875->4879 4881 402cf7 4876->4881 4880 402448 RegDeleteValueA RegCloseKey 4878->4880 4880->4879 4882 402d03 4881->4882 4883 402d0a 4881->4883 4882->4879 4883->4882 4885 402d3b 4883->4885 4886 40620e RegOpenKeyExA 4885->4886 4887 402d69 4886->4887 4888 402d79 RegEnumValueA 4887->4888 4889 402d9c 4887->4889 4896 402e13 4887->4896 4888->4889 4890 402e03 RegCloseKey 4888->4890 4889->4890 4891 402dd8 RegEnumKeyA 4889->4891 4892 402de1 RegCloseKey 4889->4892 4895 402d3b 6 API calls 4889->4895 4890->4896 4891->4889 4891->4892 4893 406794 5 API calls 4892->4893 4894 402df1 4893->4894 4894->4896 4897 402df5 RegDeleteKeyA 4894->4897 4895->4889 4896->4882 4897->4896 4898 4027aa 4899 402c39 17 API calls 4898->4899 4900 4027b1 FindFirstFileA 4899->4900 4901 4027d4 4900->4901 4902 4027c4 4900->4902 4903 4027db 4901->4903 4906 4062e6 wsprintfA 4901->4906 4907 406388 lstrcpynA 4903->4907 4906->4903 4907->4902 4908 403b2c 4909 403b37 4908->4909 4910 403b3b 4909->4910 4911 403b3e GlobalAlloc 4909->4911 4911->4910 4912 401c2e 4913 402c17 17 API calls 4912->4913 4914 401c35 4913->4914 4915 402c17 17 API calls 4914->4915 4916 401c42 4915->4916 4917 402c39 17 API calls 4916->4917 4918 401c57 4916->4918 4917->4918 4919 401c67 4918->4919 4920 402c39 17 API calls 4918->4920 4921 401c72 4919->4921 4922 401cbe 4919->4922 4920->4919 4924 402c17 17 API calls 4921->4924 4923 402c39 17 API calls 4922->4923 4925 401cc3 4923->4925 4926 401c77 4924->4926 4927 402c39 17 API calls 4925->4927 4928 402c17 17 API calls 4926->4928 4929 401ccc FindWindowExA 4927->4929 4930 401c83 4928->4930 4933 401cea 4929->4933 4931 401c90 SendMessageTimeoutA 4930->4931 4932 401cae SendMessageA 4930->4932 4931->4933 4932->4933 4934 40262e 4935 402633 4934->4935 4936 402647 4934->4936 4937 402c17 17 API calls 4935->4937 4938 402c39 17 API calls 4936->4938 4940 40263c 4937->4940 4939 40264e lstrlenA 4938->4939 4939->4940 4941 402670 4940->4941 4942 405fc2 WriteFile 4940->4942 4942->4941 3817 401932 3818 401934 3817->3818 3819 402c39 17 API calls 3818->3819 3820 401939 3819->3820 3823 405b4a 3820->3823 3824 405e08 18 API calls 3823->3824 3825 405b6a 3824->3825 3826 405b72 DeleteFileA 3825->3826 3827 405b89 3825->3827 3856 401942 3826->3856 3828 405cb7 3827->3828 3860 406388 lstrcpynA 3827->3860 3833 4066ff 2 API calls 3828->3833 3828->3856 3830 405baf 3831 405bc2 3830->3831 3832 405bb5 lstrcatA 3830->3832 3835 405d61 2 API calls 3831->3835 3834 405bc8 3832->3834 3836 405cdb 3833->3836 3837 405bd6 lstrcatA 3834->3837 3838 405be1 lstrlenA FindFirstFileA 3834->3838 3835->3834 3839 405d1a 3 API calls 3836->3839 3836->3856 3837->3838 3838->3828 3847 405c05 3838->3847 3841 405ce5 3839->3841 3840 405d45 CharNextA 3840->3847 3842 405b02 5 API calls 3841->3842 3843 405cf1 3842->3843 3844 405cf5 3843->3844 3845 405d0b 3843->3845 3851 4054a9 24 API calls 3844->3851 3844->3856 3846 4054a9 24 API calls 3845->3846 3846->3856 3847->3840 3848 405c96 FindNextFileA 3847->3848 3855 405b4a 60 API calls 3847->3855 3857 4054a9 24 API calls 3847->3857 3858 4054a9 24 API calls 3847->3858 3859 406161 36 API calls 3847->3859 3861 406388 lstrcpynA 3847->3861 3862 405b02 3847->3862 3848->3847 3850 405cae FindClose 3848->3850 3850->3828 3852 405d02 3851->3852 3853 406161 36 API calls 3852->3853 3853->3856 3855->3847 3857->3848 3858->3847 3859->3847 3860->3830 3861->3847 3870 405ef6 GetFileAttributesA 3862->3870 3865 405b2f 3865->3847 3866 405b25 DeleteFileA 3868 405b2b 3866->3868 3867 405b1d RemoveDirectoryA 3867->3868 3868->3865 3869 405b3b SetFileAttributesA 3868->3869 3869->3865 3871 405b0e 3870->3871 3872 405f08 SetFileAttributesA 3870->3872 3871->3865 3871->3866 3871->3867 3872->3871 4943 402733 4944 40273a 4943->4944 4946 402a47 4943->4946 4945 402c17 17 API calls 4944->4945 4947 402741 4945->4947 4948 402750 SetFilePointer 4947->4948 4948->4946 4949 402760 4948->4949 4951 4062e6 wsprintfA 4949->4951 4951->4946 4952 401e35 GetDC 4953 402c17 17 API calls 4952->4953 4954 401e47 GetDeviceCaps MulDiv ReleaseDC 4953->4954 4955 402c17 17 API calls 4954->4955 4956 401e78 4955->4956 4957 40641b 17 API calls 4956->4957 4958 401eb5 CreateFontIndirectA 4957->4958 4959 402628 4958->4959 4960 4014b7 4961 4014bd 4960->4961 4962 401389 2 API calls 4961->4962 4963 4014c5 4962->4963 3935 4015bb 3936 402c39 17 API calls 3935->3936 3937 4015c2 3936->3937 3938 405db3 4 API calls 3937->3938 3948 4015ca 3938->3948 3939 401624 3941 401652 3939->3941 3942 401629 3939->3942 3940 405d45 CharNextA 3940->3948 3944 401423 24 API calls 3941->3944 3943 401423 24 API calls 3942->3943 3945 401630 3943->3945 3951 40164a 3944->3951 3955 406388 lstrcpynA 3945->3955 3946 4059ec 2 API calls 3946->3948 3948->3939 3948->3940 3948->3946 3949 405a09 5 API calls 3948->3949 3952 40160c GetFileAttributesA 3948->3952 3954 4015f3 3948->3954 3949->3948 3950 40163b SetCurrentDirectoryA 3950->3951 3952->3948 3953 40596f 4 API calls 3953->3954 3954->3948 3954->3953 3955->3950 4964 40453b lstrcpynA lstrlenA 4965 4016bb 4966 402c39 17 API calls 4965->4966 4967 4016c1 GetFullPathNameA 4966->4967 4968 4016d8 4967->4968 4974 4016f9 4967->4974 4971 4066ff 2 API calls 4968->4971 4968->4974 4969 402ac5 4970 40170d GetShortPathNameA 4970->4969 4972 4016e9 4971->4972 4972->4974 4975 406388 lstrcpynA 4972->4975 4974->4969 4974->4970 4975->4974

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 18 4035e5 11->18 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 18->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 32 40362d 27->32 32->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 66 403772 47->66 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 55 403734-403762 51->55 56 403724-40372a 51->56 60 4036e7-4036e9 52->60 61 4036eb 52->61 69 403821-403827 53->69 70 4038ae-4038bf ExitProcess OleUninitialize 53->70 54->53 68 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->68 55->47 65 40377f-40378c call 406388 55->65 62 403730 56->62 63 40372c-40372e 56->63 60->51 60->61 61->51 62->55 63->55 63->62 65->43 66->38 68->53 68->70 73 403829-403834 call 405d45 69->73 74 40389f-4038a6 call 403b6e 69->74 75 4038c5-4038d4 call 405a9e ExitProcess 70->75 76 4039e8-4039ee 70->76 91 403836-40385f 73->91 92 40386a-403873 73->92 85 4038ab 74->85 77 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->77 78 403a66-403a6e 76->78 83 403a36-403a44 call 406794 77->83 84 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 77->84 87 403a70 78->87 88 403a73-403a76 ExitProcess 78->88 99 403a52-403a5d ExitWindowsEx 83->99 100 403a46-403a50 83->100 84->83 85->70 87->88 96 403861-403863 91->96 93 403875-403883 call 405e08 92->93 94 4038da-4038ee call 405a09 lstrcatA 92->94 93->70 107 403885-40389b call 406388 * 2 93->107 105 4038f0-4038f6 lstrcatA 94->105 106 4038fb-403915 lstrcatA lstrcmpiA 94->106 96->92 101 403865-403868 96->101 99->78 104 403a5f-403a61 call 40140b 99->104 100->99 100->104 101->92 101->96 104->78 105->106 106->70 110 403917-40391a 106->110 107->74 112 403923 call 4059ec 110->112 113 40391c-403921 call 40596f 110->113 120 403928-403936 SetCurrentDirectoryA 112->120 113->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->70 141->129
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00008001), ref: 004034EF
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32(?), ref: 00403518
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                                                                                                                                                                                            • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040363C
                                                                                                                                                                                                                            • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                                                                                                                                                                                            • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                                                                                                                                                                                            • CharNextA.USER32(00000000,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000020,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                                                                                                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                                                                                                                                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                                                                                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                                                                                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                                                                                                                                                                                            • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004038D4
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                                                                                                                                                                                                                            • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                                                                                                                                                                                            • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\C9EB.exe,0041F910,00000001), ref: 0040399B
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403A76
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                                                            • String ID: "$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\C9EB.exe$C:\Users\user\AppData\Local\Temp\C9EB.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\update$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                            • API String ID: 2882342585-1084925954
                                                                                                                                                                                                                            • Opcode ID: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                                                                                                                                                                                                                            • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                                                                                                                                                                                            Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 216 100010d0-100010fa GetVersionExA 217 10001106-1000110c 216->217 218 100010fc-10001101 216->218 220 10001122-10001139 LoadLibraryW 217->220 221 1000110e-10001112 217->221 219 1000135d-10001362 218->219 224 100011a5 220->224 225 1000113b-1000114c GetProcAddress 220->225 222 10001225-10001237 LoadLibraryA 221->222 223 10001118-1000111d 221->223 228 10001332-10001337 222->228 229 1000123d-10001265 GetProcAddress * 3 222->229 231 1000135b-1000135c 223->231 230 100011aa-100011ae 224->230 226 10001195 225->226 227 1000114e-1000115a LocalAlloc 225->227 233 1000119a-100011a3 FreeLibrary 226->233 232 10001189-1000118c 227->232 228->231 234 10001323-10001326 FreeLibrary 229->234 235 1000126b-1000126d 229->235 236 100011b0-100011b2 230->236 237 100011b7 230->237 231->219 238 1000115c-1000116d NtQuerySystemInformation 232->238 239 1000118e-10001193 232->239 233->230 242 1000132c-10001330 234->242 235->234 240 10001273-10001275 235->240 236->231 241 100011ba-100011bf 237->241 238->233 243 1000116f-1000117e LocalFree 238->243 239->233 240->234 244 1000127b-10001286 240->244 245 100011c1-100011ec WideCharToMultiByte lstrcmpiA 241->245 246 1000120d-10001211 241->246 242->228 247 10001339-1000133d 242->247 243->239 250 10001180-10001187 LocalAlloc 243->250 244->234 260 1000128c-100012a0 244->260 245->246 253 100011ee-100011f5 245->253 251 10001213-10001215 246->251 252 10001217-10001220 LocalFree 246->252 248 10001359 247->248 249 1000133f-10001343 247->249 248->231 254 10001345-1000134a 249->254 255 1000134c-10001350 249->255 250->232 251->241 252->242 253->252 257 100011f7-1000120a call 1000103f 253->257 254->231 255->248 259 10001352-10001357 255->259 257->246 259->231 263 10001318-1000131a 260->263 264 100012a2-100012b6 lstrlenA 263->264 265 1000131c-1000131d CloseHandle 263->265 266 100012bd-100012c2 264->266 265->234 267 100012c4-100012ea lstrcpynA lstrcmpiA 266->267 268 100012b8-100012ba 266->268 270 100012ec-100012f3 267->270 271 1000130e-10001315 267->271 268->267 269 100012bc 268->269 269->266 270->265 272 100012f5-1000130b call 1000103f 270->272 271->263 272->271
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32(?), ref: 100010F2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.4183580426.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4178910774.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4201042701.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4210270577.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Version
                                                                                                                                                                                                                            • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                                                                                                                                                                                            • API String ID: 1889659487-877962304
                                                                                                                                                                                                                            • Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                                                                                                                                                                                            • Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50
                                                                                                                                                                                                                            Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 446 405b4a-405b70 call 405e08 449 405b72-405b84 DeleteFileA 446->449 450 405b89-405b90 446->450 451 405d13-405d17 449->451 452 405b92-405b94 450->452 453 405ba3-405bb3 call 406388 450->453 454 405cc1-405cc6 452->454 455 405b9a-405b9d 452->455 461 405bc2-405bc3 call 405d61 453->461 462 405bb5-405bc0 lstrcatA 453->462 454->451 457 405cc8-405ccb 454->457 455->453 455->454 459 405cd5-405cdd call 4066ff 457->459 460 405ccd-405cd3 457->460 459->451 470 405cdf-405cf3 call 405d1a call 405b02 459->470 460->451 464 405bc8-405bcb 461->464 462->464 467 405bd6-405bdc lstrcatA 464->467 468 405bcd-405bd4 464->468 469 405be1-405bff lstrlenA FindFirstFileA 467->469 468->467 468->469 471 405c05-405c1c call 405d45 469->471 472 405cb7-405cbb 469->472 485 405cf5-405cf8 470->485 486 405d0b-405d0e call 4054a9 470->486 479 405c27-405c2a 471->479 480 405c1e-405c22 471->480 472->454 474 405cbd 472->474 474->454 483 405c2c-405c31 479->483 484 405c3d-405c4b call 406388 479->484 480->479 482 405c24 480->482 482->479 488 405c33-405c35 483->488 489 405c96-405ca8 FindNextFileA 483->489 497 405c62-405c6d call 405b02 484->497 498 405c4d-405c55 484->498 485->460 491 405cfa-405d09 call 4054a9 call 406161 485->491 486->451 488->484 492 405c37-405c3b 488->492 489->471 494 405cae-405cb1 FindClose 489->494 491->451 492->484 492->489 494->472 506 405c8e-405c91 call 4054a9 497->506 507 405c6f-405c72 497->507 498->489 501 405c57-405c60 call 405b4a 498->501 501->489 506->489 508 405c74-405c84 call 4054a9 call 406161 507->508 509 405c86-405c8c 507->509 508->489 509->489
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405B73
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405BBB
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405BDC
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405BE2
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405BF3
                                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\C9EB.exe$\*.*
                                                                                                                                                                                                                            • API String ID: 2035342205-3962925373
                                                                                                                                                                                                                            • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                                                                                                                                                                            • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                                                                                                                                                                                            Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 713 406a88-406a8d 714 406afe-406b1c 713->714 715 406a8f-406abe 713->715 716 4070f4-407109 714->716 717 406ac0-406ac3 715->717 718 406ac5-406ac9 715->718 719 407123-407139 716->719 720 40710b-407121 716->720 721 406ad5-406ad8 717->721 722 406ad1 718->722 723 406acb-406acf 718->723 724 40713c-407143 719->724 720->724 725 406af6-406af9 721->725 726 406ada-406ae3 721->726 722->721 723->721 728 407145-407149 724->728 729 40716a-407176 724->729 727 406ccb-406ce9 725->727 730 406ae5 726->730 731 406ae8-406af4 726->731 732 406d01-406d13 727->732 733 406ceb-406cff 727->733 734 4072f8-407302 728->734 735 40714f-407167 728->735 742 40690c-406915 729->742 730->731 737 406b5e-406b8c 731->737 741 406d16-406d20 732->741 733->741 740 40730e-407321 734->740 735->729 738 406ba8-406bc2 737->738 739 406b8e-406ba6 737->739 743 406bc5-406bcf 738->743 739->743 748 407326-40732a 740->748 746 406d22 741->746 747 406cc3-406cc9 741->747 744 407323 742->744 745 40691b 742->745 750 406bd5 743->750 751 406b46-406b4c 743->751 744->748 752 406922-406926 745->752 753 406a62-406a83 745->753 754 4069c7-4069cb 745->754 755 406a37-406a3b 745->755 756 406e33-406e40 746->756 757 406c9e-406ca2 746->757 747->727 749 406c67-406c71 747->749 758 4072b6-4072c0 749->758 759 406c77-406c99 749->759 771 407292-40729c 750->771 772 406b2b-406b43 750->772 760 406b52-406b58 751->760 761 406bff-406c05 751->761 752->740 768 40692c-406939 752->768 753->716 762 4069d1-4069ea 754->762 763 407277-407281 754->763 769 406a41-406a55 755->769 770 407286-407290 755->770 756->742 767 406e8f-406e9e 756->767 764 406ca8-406cc0 757->764 765 4072aa-4072b4 757->765 758->740 759->756 760->737 773 406c63 760->773 761->773 775 406c07-406c25 761->775 776 4069ed-4069f1 762->776 763->740 764->747 765->740 767->716 768->744 774 40693f-406985 768->774 777 406a58-406a60 769->777 770->740 771->740 772->751 773->749 779 406987-40698b 774->779 780 4069ad-4069af 774->780 781 406c27-406c3b 775->781 782 406c3d-406c4f 775->782 776->754 778 4069f3-4069f9 776->778 777->753 777->755 788 406a23-406a35 778->788 789 4069fb-406a02 778->789 783 406996-4069a4 GlobalAlloc 779->783 784 40698d-406990 GlobalFree 779->784 786 4069b1-4069bb 780->786 787 4069bd-4069c5 780->787 785 406c52-406c5c 781->785 782->785 783->744 790 4069aa 783->790 784->783 785->761 791 406c5e 785->791 786->786 786->787 787->776 788->777 792 406a04-406a07 GlobalFree 789->792 793 406a0d-406a1d GlobalAlloc 789->793 790->780 795 406be4-406bfc 791->795 796 40729e-4072a8 791->796 792->793 793->744 793->788 795->761 796->740
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                                                                                                                                                                            • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                                                                                                                                                                                            Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406716
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                            • String ID: C:\
                                                                                                                                                                                                                            • API String ID: 2295610775-3404278061
                                                                                                                                                                                                                            • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                                                                                                                                                                            • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                                                                                                                                                                                            Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 155 403bee-403c17 call 403e33 call 405e08 145->155 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->155 151->150 160 403c1d-403c22 155->160 161 403c9e-403ca6 call 405e08 155->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 169 403c4a-403c4c 162->169 171 403d5a-403d62 call 40140b 166->171 172 403cdb-403d0b RegisterClassA 166->172 167->166 173 403c5d-403c69 lstrlenA 169->173 174 403c4e-403c5b call 405d45 169->174 185 403d64-403d67 171->185 186 403d6c-403d77 call 403e33 171->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 172->175 176 403e29 172->176 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->171 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 203 403e22-403e24 call 40140b 195->203 204 403e0a-403e10 195->204 201 403da3-403db5 GetClassInfoA 196->201 202 403d99-403d9e call 406726 196->202 207 403db7-403dc7 GetClassInfoA RegisterClassA 201->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 201->208 202->201 203->176 204->185 209 403e16-403e1d call 40140b 204->209 207->208 208->179 209->185
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                                                                                                                                                                              • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000009,0000000B), ref: 00403BE9
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,?,?,C:\Windows\wininit.ini,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(C:\Windows\wininit.ini,?,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000009,0000000B), ref: 00403C7C
                                                                                                                                                                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                                                                                                                                                                                                                              • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                                                                                                                                                                            • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                                                                                                                                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                                                                                                                                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                                                                                                                                                                                            • ShowWindow.USER32(00000005,00000000,?,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000009,0000000B), ref: 00403D85
                                                                                                                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                                                                                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                                                                                                                                                                                            • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                                                                                                                                                                                            • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\C9EB.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                                                                                                                                                                                            • API String ID: 1975747703-1276686669
                                                                                                                                                                                                                            • Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                                                                                                                                                                                            • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                                                                                                                                                                                            Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 275 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 278 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 275->278 279 402fac-402fb1 275->279 287 402fea 278->287 288 4030cf-4030dd call 402ebd 278->288 280 4031f6-4031fa 279->280 290 402fef-403006 287->290 295 4030e3-4030e6 288->295 296 4031ae-4031b3 288->296 292 403008 290->292 293 40300a-403013 call 40346e 290->293 292->293 300 403019-403020 293->300 301 40316a-403172 call 402ebd 293->301 298 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 295->298 299 4030e8-403100 call 403484 call 40346e 295->299 296->280 326 403160-403165 298->326 327 403174-4031a4 call 403484 call 4031fd 298->327 299->296 321 403106-40310c 299->321 305 403022-403036 call 405ed6 300->305 306 40309c-4030a0 300->306 301->296 311 4030aa-4030b0 305->311 324 403038-40303f 305->324 310 4030a2-4030a9 call 402ebd 306->310 306->311 310->311 317 4030b2-4030bc call 40684b 311->317 318 4030bf-4030c7 311->318 317->318 318->290 325 4030cd 318->325 321->296 321->298 324->311 329 403041-403048 324->329 325->288 326->280 335 4031a9-4031ac 327->335 329->311 331 40304a-403051 329->331 331->311 334 403053-40305a 331->334 334->311 336 40305c-40307c 334->336 335->296 337 4031b5-4031c6 335->337 336->296 338 403082-403086 336->338 339 4031c8 337->339 340 4031ce-4031d3 337->340 341 403088-40308c 338->341 342 40308e-403096 338->342 339->340 343 4031d4-4031da 340->343 341->325 341->342 342->311 344 403098-40309a 342->344 343->343 345 4031dc-4031f4 call 405ed6 343->345 344->311 345->280
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402F70
                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\C9EB.exe,00000400), ref: 00402F8C
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\C9EB.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\C9EB.exe,C:\Users\user\AppData\Local\Temp\C9EB.exe,80000000,00000003), ref: 00402FD5
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\C9EB.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                                                                                                                                                                                            • Error launching installer, xrefs: 00402FAC
                                                                                                                                                                                                                            • Inst, xrefs: 00403041
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\C9EB.exe, xrefs: 00402F65
                                                                                                                                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                                                                                                                                                                                            • Null, xrefs: 00403053
                                                                                                                                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                                                                                                                                                                                            • soft, xrefs: 0040304A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\C9EB.exe$C:\Users\user\AppData\Local\Temp\C9EB.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                                            • API String ID: 2803837635-1211686375
                                                                                                                                                                                                                            • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                                                                                                                                                                            • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                                                                                                                                                                                            Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 348 405ff1-406015 349 406017-40602f call 405f1b CloseHandle GetShortPathNameA 348->349 350 40603d-40604c GetShortPathNameA 348->350 353 40615c-406160 349->353 357 406035-406037 349->357 352 406052-406054 350->352 350->353 352->353 355 40605a-406098 wsprintfA call 40641b call 405f1b 352->355 355->353 361 40609e-4060ba GetFileSize GlobalAlloc 355->361 357->350 357->353 362 4060c0-4060ca call 405f93 361->362 363 406155-406156 CloseHandle 361->363 362->363 366 4060d0-4060dd call 405e80 362->366 363->353 369 4060f3-406105 call 405e80 366->369 370 4060df-4060f1 lstrcpyA 366->370 376 406124 369->376 377 406107-40610d 369->377 371 406128 370->371 373 40612a-40614f call 405ed6 SetFilePointer call 405fc2 GlobalFree 371->373 373->363 376->371 378 406115-406117 377->378 380 406119-406122 378->380 381 40610f-406114 378->381 380->373 381->378
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                                                                                                                                                                            • GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                                                                                                                                                                                                                              • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                                                                                                                                                                              • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                                                                                                                                                                            • GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00406066
                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                                                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsyC940.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\C9EB.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                              • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                            • String ID: %s=%s$C:\Windows\wininit.ini$NUL$NUL=C:\Users\user\AppData\Local\Temp\nsyC940.tmp\$[Rename]
                                                                                                                                                                                                                            • API String ID: 2171350718-3137262356
                                                                                                                                                                                                                            • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                                                                                                                                                                            • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                                                                                                                                                                                            Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 384 40641b-406426 385 406428-406437 384->385 386 406439-40644f 384->386 385->386 387 406643-406647 386->387 388 406455-406460 386->388 390 406472-40647c 387->390 391 40664d-406657 387->391 388->387 389 406466-40646d 388->389 389->387 390->391 392 406482-406489 390->392 393 406662-406663 391->393 394 406659-40665d call 406388 391->394 395 406636 392->395 396 40648f-4064c3 392->396 394->393 398 406640-406642 395->398 399 406638-40663e 395->399 400 4065e3-4065e6 396->400 401 4064c9-4064d3 396->401 398->387 399->387 404 406616-406619 400->404 405 4065e8-4065eb 400->405 402 4064f0 401->402 403 4064d5-4064de 401->403 411 4064f7-4064fe 402->411 403->402 408 4064e0-4064e3 403->408 406 406627-406634 lstrlenA 404->406 407 40661b-406622 call 40641b 404->407 409 4065fb-406607 call 406388 405->409 410 4065ed-4065f9 call 4062e6 405->410 406->387 407->406 408->402 413 4064e5-4064e8 408->413 422 40660c-406612 409->422 410->422 415 406500-406502 411->415 416 406503-406505 411->416 413->402 418 4064ea-4064ee 413->418 415->416 420 406507-40652a call 40626f 416->420 421 40653e-406541 416->421 418->411 432 406530-406539 call 40641b 420->432 433 4065ca-4065ce 420->433 425 406551-406554 421->425 426 406543-40654f GetSystemDirectoryA 421->426 422->406 424 406614 422->424 428 4065db-4065e1 call 406666 424->428 430 4065c1-4065c3 425->430 431 406556-406564 GetWindowsDirectoryA 425->431 429 4065c5-4065c8 426->429 428->406 429->428 429->433 430->429 434 406566-406570 430->434 431->430 432->429 433->428 437 4065d0-4065d6 lstrcatA 433->437 439 406572-406575 434->439 440 40658a-4065a0 SHGetSpecialFolderLocation 434->440 437->428 439->440 442 406577-40657e 439->442 443 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 440->443 444 4065be 440->444 445 406586-406588 442->445 443->429 443->444 444->430 445->429 445->440
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400), ref: 00406549
                                                                                                                                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                                                                                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                                                                                                                                                                                            • SHGetPathFromIDListA.SHELL32(00000000,C:\Windows\wininit.ini), ref: 004065A6
                                                                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(C:\Windows\wininit.ini,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                            • String ID: C:\Windows\wininit.ini$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                            • API String ID: 717251189-1428620962
                                                                                                                                                                                                                            • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                                                                                                                                                                            • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                                                                                                                                                                                            Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 00401798
                                                                                                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 004017C2
                                                                                                                                                                                                                              • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsyC940.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall\update
                                                                                                                                                                                                                            • API String ID: 1941528284-4208001357
                                                                                                                                                                                                                            • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                                                                                                                                                                            • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                                                                                                                                                                                            Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 582 406726-406746 GetSystemDirectoryA 583 406748 582->583 584 40674a-40674c 582->584 583->584 585 40675c-40675e 584->585 586 40674e-406756 584->586 588 40675f-406791 wsprintfA LoadLibraryExA 585->588 586->585 587 406758-40675a 586->587 587->588
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00406776
                                                                                                                                                                                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                            • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                                                            • API String ID: 2200240437-4240819195
                                                                                                                                                                                                                            • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                                                                                                                                                                            • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                                                                                                                                                                                            Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 589 4068d9-4068fc 590 406906-406909 589->590 591 4068fe-406901 589->591 593 40690c-406915 590->593 592 407326-40732a 591->592 594 407323 593->594 595 40691b 593->595 594->592 596 406922-406926 595->596 597 406a62-407109 595->597 598 4069c7-4069cb 595->598 599 406a37-406a3b 595->599 603 40692c-406939 596->603 604 40730e-407321 596->604 608 407123-407139 597->608 609 40710b-407121 597->609 601 4069d1-4069ea 598->601 602 407277-407281 598->602 605 406a41-406a55 599->605 606 407286-407290 599->606 607 4069ed-4069f1 601->607 602->604 603->594 610 40693f-406985 603->610 604->592 611 406a58-406a60 605->611 606->604 607->598 613 4069f3-4069f9 607->613 612 40713c-407143 608->612 609->612 614 406987-40698b 610->614 615 4069ad-4069af 610->615 611->597 611->599 620 407145-407149 612->620 621 40716a-407176 612->621 618 406a23-406a35 613->618 619 4069fb-406a02 613->619 622 406996-4069a4 GlobalAlloc 614->622 623 40698d-406990 GlobalFree 614->623 616 4069b1-4069bb 615->616 617 4069bd-4069c5 615->617 616->616 616->617 617->607 618->611 625 406a04-406a07 GlobalFree 619->625 626 406a0d-406a1d GlobalAlloc 619->626 627 4072f8-407302 620->627 628 40714f-407167 620->628 621->593 622->594 624 4069aa 622->624 623->622 624->615 625->626 626->594 626->618 627->604 628->621
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 0-292220189
                                                                                                                                                                                                                            • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                                                                                                                                                                            • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                                                                                                                                                                                            Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 630 403305-40332d GetTickCount 631 403333-40335e call 403484 SetFilePointer 630->631 632 40345d-403465 call 402ebd 630->632 638 403363-403375 631->638 637 403467-40346b 632->637 639 403377 638->639 640 403379-403387 call 40346e 638->640 639->640 643 40338d-403399 640->643 644 40344f-403452 640->644 645 40339f-4033a5 643->645 644->637 646 4033d0-4033ec call 4068d9 645->646 647 4033a7-4033ad 645->647 653 403458 646->653 654 4033ee-4033f6 646->654 647->646 648 4033af-4033cf call 402ebd 647->648 648->646 655 40345a-40345b 653->655 656 4033f8-403400 call 405fc2 654->656 657 403419-40341f 654->657 655->637 661 403405-403407 656->661 657->653 659 403421-403423 657->659 659->653 660 403425-403438 659->660 660->638 662 40343e-40344d SetFilePointer 660->662 663 403454-403456 661->663 664 403409-403415 661->664 662->632 663->655 664->645 665 403417 664->665 665->660
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00403319
                                                                                                                                                                                                                              • Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer$CountTick
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 1092082344-292220189
                                                                                                                                                                                                                            • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                                                                                                                                                                            • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                                                                                                                                                                                            Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 666 405f4a-405f54 667 405f55-405f80 GetTickCount GetTempFileNameA 666->667 668 405f82-405f84 667->668 669 405f8f-405f91 667->669 668->667 671 405f86 668->671 670 405f89-405f8c 669->670 671->670
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00405F5E
                                                                                                                                                                                                                            • GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                            • API String ID: 1716503409-44229769
                                                                                                                                                                                                                            • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                                                                                                                                                                            • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                                                                                                                                                                                            Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 672 4020a5-4020b1 673 4020b7-4020cd call 402c39 * 2 672->673 674 40216c-40216e 672->674 684 4020dc-4020ea LoadLibraryExA 673->684 685 4020cf-4020da GetModuleHandleA 673->685 675 4022e5-4022ea call 401423 674->675 681 402ac5-402ad4 675->681 686 4020ec-4020f9 GetProcAddress 684->686 687 402165-402167 684->687 685->684 685->686 689 402138-40213d call 4054a9 686->689 690 4020fb-402101 686->690 687->675 695 402142-402145 689->695 691 402103-40210f call 401423 690->691 692 40211a-402136 690->692 691->695 703 402111-402118 691->703 692->695 695->681 698 40214b-402153 call 403b0e 695->698 698->681 702 402159-402160 FreeLibrary 698->702 702->681 703->695
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2987980305-0
                                                                                                                                                                                                                            • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                                                                                                                                                                            • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                                                                                                                                                                                            Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 704 403a7c-403a8b 705 403a97-403a9f 704->705 706 403a8d-403a90 CloseHandle 704->706 707 403aa1-403aa4 CloseHandle 705->707 708 403aab-403ab7 call 403ad9 call 405b4a 705->708 706->705 707->708 712 403abc-403abd 708->712
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\nsyC940.tmp\, xrefs: 00403AB2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsyC940.tmp\
                                                                                                                                                                                                                            • API String ID: 2962429428-971952551
                                                                                                                                                                                                                            • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                                                                                                                                                                            • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                                                                                                                                                                                            Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 973152223-292220189
                                                                                                                                                                                                                            • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                                                                                                                                                                            • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                                                                                                                                                                                            Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405DC1
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                                                                                                                                                              • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                                                                                                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,000000F0), ref: 0040163C
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401631
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                                                                                                                                                                                            • API String ID: 1892508949-2725132131
                                                                                                                                                                                                                            • Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                                                                                                                                                                            • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                                                                                                                                                                                            Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405DC1
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                              • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405E5B
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                            • String ID: C:\
                                                                                                                                                                                                                            • API String ID: 3248276644-3404278061
                                                                                                                                                                                                                            • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                                                                                                                                                                            • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                                                                                                                                                                                            Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                                                                                                                                                                            • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                                                                                                                                                                            Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                                                                                                                                                                            • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                                                                                                                                                                            Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                                                                                                                                                                            • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                                                                                                                                                                                            Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                                                                                                                                                                            • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                                                                                                                                                                                            Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                                                                                                                                                                            • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                                                                                                                                                                                            Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                                                                                                                                                                            • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                                                                                                                                                                                            Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                                                                                                                                                                                            • RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseValuelstrlen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2655323295-0
                                                                                                                                                                                                                            • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                                                                                                                                                                            • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                                                                                                                                                                                            Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Enum$CloseValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 397863658-0
                                                                                                                                                                                                                            • Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                                                                                                                                                                                            • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                                                                                                                                                                                            Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                                                                                                                                                                              • Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
                                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1655745494-0
                                                                                                                                                                                                                            • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                                                                                                                                                                            • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                                                                                                                                                                                            Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
                                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2567322000-0
                                                                                                                                                                                                                            • Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                                                                                                                                                                                            • Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98
                                                                                                                                                                                                                            Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                                                                            • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                                                                                                                                                                            • API String ID: 2738559852-292220189
                                                                                                                                                                                                                            • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                                                                                                                                                                            • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                                                                                                                                                                                            Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3356406503-0
                                                                                                                                                                                                                            • Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                                                                                                                                                                                            • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                                                                                                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                                                                            • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                                                                                                                                                                            • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                                                                                                                                                                                            Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405A57
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3712363035-0
                                                                                                                                                                                                                            • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                                                                                                                                                                            • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                                                                                                                                                                                            Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                                                                                                                                                                              • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                                                                                                                                                                              • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                                                                                                                                                                                              • Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2547128583-0
                                                                                                                                                                                                                            • Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                                                                                                                                                                                            • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                                                                                                                                                                                            Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\C9EB.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                                                                                                            • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                                                                                                                                                                            • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                                                                                                                                                                                            Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                                            • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                                                                                                                                            • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                                                                                                                                                                                            Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                                                                            • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                                                                                                                                                                            • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                                                                                                                                                                                            Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
                                                                                                                                                                                                                            • GlobalFree.KERNELBASE(10003020), ref: 10001464
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.4183580426.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4178910774.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4201042701.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4210270577.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeGloballstrcpyn
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1459762280-0
                                                                                                                                                                                                                            • Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                                                                                                                                                                                            • Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22
                                                                                                                                                                                                                            Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                                            • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                                            • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                                                                                                                                                                                            Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,004114F7,0040B8F8,00403405,0040B8F8,004114F7,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                                                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                            • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                                                                                                                                                                                            Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Windows\wininit.ini), ref: 00406232
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Open
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                                                                            • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                                            • Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725
                                                                                                                                                                                                                            Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsyC940.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                                                                                                                                                                              • Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 299535525-0
                                                                                                                                                                                                                            • Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                                                                                                                                                                                            • Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09
                                                                                                                                                                                                                            Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                                                                            • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                                                                                                                                            • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                                                                                                                                                                            Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                              • Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                                                                                                                                                                              • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                                                                                                                                                                              • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                                                                                                                                                                              • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                                                                                                                                                                              • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2972824698-0
                                                                                                                                                                                                                            • Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                                                                                                                                                                                            • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405646
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405655
                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405692
                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405699
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405735
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405756
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405664
                                                                                                                                                                                                                              • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004057BC
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004057DF
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004057E6
                                                                                                                                                                                                                            • ShowWindow.USER32(00000008), ref: 0040582C
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                                                                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00405871
                                                                                                                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                                                                                                                                                                                                                            • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                                                                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                                                                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 0040590B
                                                                                                                                                                                                                            • EmptyClipboard.USER32 ref: 00405911
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405924
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                                                                                                                                                                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 00405962
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                            • String ID: PB
                                                                                                                                                                                                                            • API String ID: 590372296-3196168531
                                                                                                                                                                                                                            • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                                                                                                                                                                            • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                                                                                                                                                                                            Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                                                                                                                                                                                                                            • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                                                                                                                                                                                            • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(C:\Windows\wininit.ini,00420D50), ref: 004049FE
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(?,C:\Windows\wininit.ini), ref: 00404A0A
                                                                                                                                                                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                                                                                                                                                                                              • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                                                                                                                                                                              • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                                                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                                                                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                                                                                                                                                                                              • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                                                                                                                                                                              • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                                                                                                                                                                                              • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                            • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$PB
                                                                                                                                                                                                                            • API String ID: 2624150263-292181263
                                                                                                                                                                                                                            • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                                                                                                                                                                            • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                                                                                                                                                                                            Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00402238
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                                                                                                                                                                                            • API String ID: 123533781-2725132131
                                                                                                                                                                                                                            • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                                                                                                                                                                            • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                                                                                                                                                                                            Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                                                                                                            • Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                                                                                                                                                                                            • Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A
                                                                                                                                                                                                                            Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                                                                                                                                                                                                                            • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                                                                                                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000110), ref: 00404F0B
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                                                                                                                                                                                                                              • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040506C
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                                                                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0040524A
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                                                                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004053F4
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00405406
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                            • String ID: $M$N
                                                                                                                                                                                                                            • API String ID: 2564846305-813528018
                                                                                                                                                                                                                            • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                                                                                                                                                                            • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                                                                                                                                                                                            Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                                                                                                                                                                                            • ShowWindow.USER32(?), ref: 00403F67
                                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                                                                                                                                                                                            • DestroyWindow.USER32 ref: 00403FA6
                                                                                                                                                                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403FDE
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                                                                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004040A4
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 004040AE
                                                                                                                                                                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                                                                                                                                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 004041BF
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 004041F2
                                                                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 0040420D
                                                                                                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                                                                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 0040422A
                                                                                                                                                                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                                                                                                                                                                                            • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                                                                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                            • String ID: PB
                                                                                                                                                                                                                            • API String ID: 1860320154-3196168531
                                                                                                                                                                                                                            • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                                                                                                                                                                            • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                                                                                                                                                                                            Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                                                                                                                                                                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                                                                                                                                                                                                                            • GetSysColor.USER32(?), ref: 0040463E
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040465F
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000), ref: 004046E8
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404713
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0040476B
                                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00404784
                                                                                                                                                                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                                                                                                                                                                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                            • String ID: N$6B
                                                                                                                                                                                                                            • API String ID: 3103080414-649610290
                                                                                                                                                                                                                            • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                                                                                                                                                                            • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                                                                                                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                            • String ID: F
                                                                                                                                                                                                                            • API String ID: 941294808-1304234792
                                                                                                                                                                                                                            • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                                                                                                                                                                            • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                                                                                                                                                                                            Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                            • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                            • String ID: 4/@
                                                                                                                                                                                                                            • API String ID: 2531174081-3101945251
                                                                                                                                                                                                                            • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                                                                                                                                                                            • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                                                                                                                                                                                            Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                                                                                                                                                                            • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                                                                                                                                                                            • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                                                                                                                                                                            • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\C9EB.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\C9EB.exe, xrefs: 00406666
                                                                                                                                                                                                                            • *?|<>/":, xrefs: 004066AE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                                                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\C9EB.exe
                                                                                                                                                                                                                            • API String ID: 589700163-1091171430
                                                                                                                                                                                                                            • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                                                                                                                                                                            • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                                                                                                                                                                                            Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DestroyWindow.USER32(?,00000000), ref: 00402ED5
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402EF3
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00402F21
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                              • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                              • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                                                                                                                                                                                              • Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                            • String ID: ... %d%%$#Vh%.@
                                                                                                                                                                                                                            • API String ID: 722711167-1706192003
                                                                                                                                                                                                                            • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                                                                                                                                                                            • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                                                                                                                                                                                            Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                                                                                                                                                                                                                            • GetSysColor.USER32(00000000), ref: 004044C7
                                                                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004044D3
                                                                                                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 004044DF
                                                                                                                                                                                                                            • GetSysColor.USER32(?), ref: 004044F2
                                                                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00404502
                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0040451C
                                                                                                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404526
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                                                                                                            • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                                                                                                                                                                            • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                                                                                                                                                                                            Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                                                                                                                                                                                                                            • GetMessagePos.USER32 ref: 00404D7B
                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404D95
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                                                                                                                                                                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                            • String ID: f
                                                                                                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                                                                                                            • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                                                                                                                                            • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                                                                                                                                                                                            Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004059C6
                                                                                                                                                                                                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 004059E5
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                            • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                            • API String ID: 3449924974-3700438604
                                                                                                                                                                                                                            • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                                                                                                                                                                            • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                                                                                                                                                                                            Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00402E74
                                                                                                                                                                                                                            • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                                                                                                                                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                            • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                                                                                                                                                                            • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                                                                                                                                                                                            Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 004028A4
                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2667972263-0
                                                                                                                                                                                                                            • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                                                                                                                                                                            • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                                                                                                                                                                                            Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
                                                                                                                                                                                                                            • EnumWindows.USER32(10001007,?), ref: 10001074
                                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.4183580426.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4178910774.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4201042701.0000000010002000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.4210270577.0000000010004000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_10000000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3465249596-0
                                                                                                                                                                                                                            • Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                                                                                                                                                                                            • Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                                                                                                                                                                                            Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 00404CF4
                                                                                                                                                                                                                            • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                            • String ID: %u.%u%s%s$PB
                                                                                                                                                                                                                            • API String ID: 3540041739-838025833
                                                                                                                                                                                                                            • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                                                                                                                                                                            • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                                                                                                                                                                                            Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                                                                                                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                                                                                                                                                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1354259210-0
                                                                                                                                                                                                                            • Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                                                                                                                                                                                            • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                                                                                                                                                                                            Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                                                                                                                                                                            • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                                                                                                                                                                            • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                                                                                                            • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                                                                                                                                                                            • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                                                                                                                                                                                            Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetDC.USER32(?), ref: 00401E38
                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                                                                                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                                                                                                                                                                            • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3808545654-0
                                                                                                                                                                                                                            • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                                                                                                                                                                            • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                                                                                                                                                                                            Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                                                                                                                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                                                                                                            • String ID: !
                                                                                                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                            • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                                                                                                                                                                            • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                                                                                                                                                                                            Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                                                                                                                                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                                                                                                                                                                                            • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                            • API String ID: 2659869361-823278215
                                                                                                                                                                                                                            • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                                                                                                                                                                            • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                                                                                                                                                                                            Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\C9EB.exe), ref: 00405DC1
                                                                                                                                                                                                                            • CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                            • CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext
                                                                                                                                                                                                                            • String ID: C:\
                                                                                                                                                                                                                            • API String ID: 3213498283-3404278061
                                                                                                                                                                                                                            • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                                                                                                                                                                            • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                                                                                                                                                                                            Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 0040544C
                                                                                                                                                                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                                                                                                                                                                                                                              • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                            • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                                                                                                                                                                            • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                                                                                                                                                                                            Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Windows\wininit.ini,00420530,?,?,?,00000002,C:\Windows\wininit.ini,?,00406527,80000002), ref: 004062B5
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Windows\wininit.ini,C:\Windows\wininit.ini,C:\Windows\wininit.ini,?,00420530), ref: 004062C0
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                                                                            • String ID: C:\Windows\wininit.ini
                                                                                                                                                                                                                            • API String ID: 3356406503-2725141966
                                                                                                                                                                                                                            • Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                                                                                                                                                                                            • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                                                                                                                                                                                            Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\C9EB.exe,C:\Users\user\AppData\Local\Temp\C9EB.exe,80000000,00000003), ref: 00405D67
                                                                                                                                                                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\C9EB.exe,C:\Users\user\AppData\Local\Temp\C9EB.exe,80000000,00000003), ref: 00405D75
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharPrevlstrlen
                                                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp
                                                                                                                                                                                                                            • API String ID: 2709904686-1943935188
                                                                                                                                                                                                                            • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                                                                                                                                                                            • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                                                                                                                                                                                            Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                                                                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                                                                                                                                                                                            • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000008.00000002.3876234540.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876202852.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876273223.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876311617.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000008.00000002.3876447127.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_8_2_400000_C9EB.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                                                                                                            • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                                                                                                                                                                            • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:1.2%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:21.4%
                                                                                                                                                                                                                            Signature Coverage:3.2%
                                                                                                                                                                                                                            Total number of Nodes:1576
                                                                                                                                                                                                                            Total number of Limit Nodes:101
                                                                                                                                                                                                                            execution_graph 145360 95fca5 145365 95fcb9 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 145360->145365 145361 95fcbf 145365->145361 145368 95fd40 145365->145368 145391 96762e 39 API calls 2 library calls 145365->145391 145366 95fd4e 145369 95fd5b 145366->145369 145382 9605aa 145368->145382 145392 9605e0 GetModuleHandleW 145369->145392 145371 95fd62 145372 95fd66 145371->145372 145373 95fdd0 145371->145373 145375 95fd6f 145372->145375 145393 96816c 21 API calls __FrameHandler3::FrameUnwindToState 145372->145393 145395 9681b7 21 API calls __FrameHandler3::FrameUnwindToState 145373->145395 145394 95ffd0 75 API calls ___scrt_uninitialize_crt 145375->145394 145376 95fdd6 145396 96817b 21 API calls __FrameHandler3::FrameUnwindToState 145376->145396 145380 95fd77 145380->145361 145381 95fdde 145397 960e90 145382->145397 145384 9605bd GetStartupInfoW 145385 95fd46 145384->145385 145386 967e0a 145385->145386 145398 972f03 145386->145398 145388 967e13 145389 967e4d 145388->145389 145404 9731b6 39 API calls 145388->145404 145389->145366 145391->145368 145392->145371 145393->145375 145394->145380 145395->145376 145396->145381 145397->145384 145399 972f0c 145398->145399 145400 972f3e 145398->145400 145405 96a9ab 145399->145405 145400->145388 145404->145388 145406 96a9b6 145405->145406 145407 96a9bc 145405->145407 145456 96e015 6 API calls _unexpected 145406->145456 145411 96a9c2 145407->145411 145457 96e054 6 API calls _unexpected 145407->145457 145410 96a9d6 145410->145411 145412 96a9da 145410->145412 145414 96a9c7 145411->145414 145465 967134 39 API calls __FrameHandler3::FrameUnwindToState 145411->145465 145458 96db5d 14 API calls 3 library calls 145412->145458 145433 972d0e 145414->145433 145416 96a9e6 145418 96aa03 145416->145418 145419 96a9ee 145416->145419 145461 96e054 6 API calls _unexpected 145418->145461 145459 96e054 6 API calls _unexpected 145419->145459 145422 96a9fa 145460 96abdb 14 API calls 2 library calls 145422->145460 145423 96aa0f 145424 96aa22 145423->145424 145425 96aa13 145423->145425 145463 96a71e 14 API calls _unexpected 145424->145463 145462 96e054 6 API calls _unexpected 145425->145462 145429 96aa00 145429->145411 145430 96aa2d 145464 96abdb 14 API calls 2 library calls 145430->145464 145432 96aa34 145432->145414 145466 972e63 145433->145466 145438 972d51 145438->145400 145441 972d6a 145502 96abdb 14 API calls 2 library calls 145441->145502 145442 972d78 145491 972f61 145442->145491 145446 972db0 145503 9653de 14 API calls __dosmaperr 145446->145503 145448 972db5 145504 96abdb 14 API calls 2 library calls 145448->145504 145450 972dcb 145454 972df7 145450->145454 145505 96abdb 14 API calls 2 library calls 145450->145505 145455 972e40 145454->145455 145506 972987 39 API calls 2 library calls 145454->145506 145507 96abdb 14 API calls 2 library calls 145455->145507 145456->145407 145457->145410 145458->145416 145459->145422 145460->145429 145461->145423 145462->145422 145463->145430 145464->145432 145467 972e6f __FrameHandler3::FrameUnwindToState 145466->145467 145474 972e89 145467->145474 145508 9649ca EnterCriticalSection 145467->145508 145469 972e99 145476 972ec5 145469->145476 145509 96abdb 14 API calls 2 library calls 145469->145509 145470 972d38 145477 972a95 145470->145477 145474->145470 145511 967134 39 API calls __FrameHandler3::FrameUnwindToState 145474->145511 145510 972ee2 LeaveCriticalSection std::_Lockit::~_Lockit 145476->145510 145512 967178 145477->145512 145479 972aa7 145480 972ab6 GetOEMCP 145479->145480 145481 972ac8 145479->145481 145483 972adf 145480->145483 145482 972acd GetACP 145481->145482 145481->145483 145482->145483 145483->145438 145484 96ac15 145483->145484 145485 96ac53 145484->145485 145489 96ac23 _unexpected 145484->145489 145523 9653de 14 API calls __dosmaperr 145485->145523 145487 96ac3e RtlAllocateHeap 145488 96ac51 145487->145488 145487->145489 145488->145441 145488->145442 145489->145485 145489->145487 145522 967694 EnterCriticalSection LeaveCriticalSection codecvt 145489->145522 145492 972a95 41 API calls 145491->145492 145493 972f81 145492->145493 145495 972fbe IsValidCodePage 145493->145495 145499 973086 145493->145499 145501 972fd9 codecvt 145493->145501 145496 972fd0 145495->145496 145495->145499 145498 972ff9 GetCPInfo 145496->145498 145496->145501 145497 972da5 145497->145446 145497->145450 145498->145499 145498->145501 145535 96003d 145499->145535 145524 972b69 145501->145524 145502->145438 145503->145448 145504->145438 145505->145454 145506->145455 145507->145438 145508->145469 145509->145476 145510->145474 145513 967196 145512->145513 145519 96a8f0 39 API calls 3 library calls 145513->145519 145515 9671b7 145520 96ac63 39 API calls __Getctype 145515->145520 145517 9671cd 145521 96acc1 39 API calls ctype 145517->145521 145519->145515 145520->145517 145522->145489 145523->145488 145525 972b91 GetCPInfo 145524->145525 145526 972c5a 145524->145526 145525->145526 145531 972ba9 145525->145531 145528 96003d __ehhandler$?_Swap@?$_Func_class@X$$V@std@@IAEXAAV12@@Z 5 API calls 145526->145528 145530 972d0c 145528->145530 145530->145499 145542 96ece1 145531->145542 145534 96efd1 44 API calls 145534->145526 145536 960046 IsProcessorFeaturePresent 145535->145536 145537 960045 145535->145537 145539 96072d 145536->145539 145537->145497 145620 9606f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 145539->145620 145541 960810 145541->145497 145543 967178 ctype 39 API calls 145542->145543 145544 96ed01 145543->145544 145562 971e03 145544->145562 145546 96edbd 145548 96003d __ehhandler$?_Swap@?$_Func_class@X$$V@std@@IAEXAAV12@@Z 5 API calls 145546->145548 145547 96edb5 145565 95faaa 14 API calls std::locale::_Locimp::~_Locimp 145547->145565 145552 96ede0 145548->145552 145549 96ed2e 145549->145546 145549->145547 145550 96ed53 ctype codecvt 145549->145550 145551 96ac15 std::_Locinfo::_Locinfo_dtor 15 API calls 145549->145551 145550->145547 145554 971e03 __fread_nolock MultiByteToWideChar 145550->145554 145551->145550 145557 96efd1 145552->145557 145555 96ed9c 145554->145555 145555->145547 145556 96eda3 GetStringTypeW 145555->145556 145556->145547 145558 967178 ctype 39 API calls 145557->145558 145559 96efe4 145558->145559 145568 96ede2 145559->145568 145566 971d6b 145562->145566 145565->145546 145567 971d7c MultiByteToWideChar 145566->145567 145567->145549 145569 96edfd ctype 145568->145569 145570 971e03 __fread_nolock MultiByteToWideChar 145569->145570 145574 96ee41 145570->145574 145571 96efbc 145572 96003d __ehhandler$?_Swap@?$_Func_class@X$$V@std@@IAEXAAV12@@Z 5 API calls 145571->145572 145573 96efcf 145572->145573 145573->145534 145574->145571 145575 96ac15 std::_Locinfo::_Locinfo_dtor 15 API calls 145574->145575 145577 96ee67 ctype 145574->145577 145588 96ef0f 145574->145588 145575->145577 145578 971e03 __fread_nolock MultiByteToWideChar 145577->145578 145577->145588 145579 96eeb0 145578->145579 145579->145588 145596 96e1d3 145579->145596 145582 96eee6 145587 96e1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 145582->145587 145582->145588 145583 96ef1e 145584 96efa7 145583->145584 145585 96ac15 std::_Locinfo::_Locinfo_dtor 15 API calls 145583->145585 145589 96ef30 ctype 145583->145589 145607 95faaa 14 API calls std::locale::_Locimp::~_Locimp 145584->145607 145585->145589 145587->145588 145608 95faaa 14 API calls std::locale::_Locimp::~_Locimp 145588->145608 145589->145584 145590 96e1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 145589->145590 145591 96ef73 145590->145591 145591->145584 145605 971ebd WideCharToMultiByte _Fputc 145591->145605 145593 96ef8d 145593->145584 145594 96ef96 145593->145594 145606 95faaa 14 API calls std::locale::_Locimp::~_Locimp 145594->145606 145609 96dd60 145596->145609 145599 96e1e4 LCMapStringEx 145604 96e22b 145599->145604 145600 96e20b 145612 96e230 5 API calls std::_Locinfo::_Locinfo_dtor 145600->145612 145602 96e224 LCMapStringW 145602->145604 145604->145582 145604->145583 145604->145588 145605->145593 145606->145588 145607->145588 145608->145571 145613 96de5f 145609->145613 145612->145602 145614 96de8f 145613->145614 145617 96dd76 145613->145617 145615 96dd94 _unexpected LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 145614->145615 145614->145617 145616 96dea3 145615->145616 145616->145617 145618 96dea9 GetProcAddress 145616->145618 145617->145599 145617->145600 145618->145617 145619 96deb9 _unexpected 145618->145619 145619->145617 145620->145541 145621 913052 145622 913061 145621->145622 145623 91306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 145622->145623 145624 9130ce 145622->145624 145623->145624 145625 32121f5 InitializeCriticalSectionAndSpinCount 145623->145625 145626 3212219 CreateMutexA 145625->145626 145663 3212214 145625->145663 145627 3212235 GetLastError 145626->145627 145628 3212678 ExitProcess 145626->145628 145627->145628 145629 3212246 145627->145629 145703 3213bd2 145629->145703 145631 321264f DeleteCriticalSection 145631->145628 145632 3212251 145632->145631 145707 32147e6 145632->145707 145635 3212647 145637 3213536 2 API calls 145635->145637 145637->145631 145642 32122e0 145730 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145642->145730 145644 32122ef 145731 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145644->145731 145646 32125df 145796 3213d76 EnterCriticalSection 145646->145796 145648 32122fe 145648->145646 145732 32146d4 GetModuleHandleA 145648->145732 145649 32125f8 145809 3213536 145649->145809 145652 3212360 145652->145646 145735 3211f2d GetUserDefaultUILanguage 145652->145735 145654 3213536 2 API calls 145656 3212610 145654->145656 145658 3213536 2 API calls 145656->145658 145660 321261b 145658->145660 145659 32123b4 145659->145663 145664 32123dd ExitProcess 145659->145664 145667 32123e5 145659->145667 145661 3213536 2 API calls 145660->145661 145665 3212626 145661->145665 145662 32146d4 2 API calls 145662->145659 145665->145635 145812 321536d 145665->145812 145668 3212412 ExitProcess 145667->145668 145669 321241a 145667->145669 145670 3212447 ExitProcess 145669->145670 145671 321244f 145669->145671 145746 3214ba2 145671->145746 145679 3212532 145824 3215239 145679->145824 145680 321251f 145682 32135db 11 API calls 145680->145682 145682->145679 145683 3212543 145684 3215239 4 API calls 145683->145684 145685 3212551 145684->145685 145686 3215239 4 API calls 145685->145686 145687 3212561 145686->145687 145688 3215239 4 API calls 145687->145688 145689 3212570 145688->145689 145690 3215239 4 API calls 145689->145690 145691 3212580 145690->145691 145692 3215239 4 API calls 145691->145692 145693 321258f 145692->145693 145828 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145693->145828 145695 3212599 145696 32125b2 145695->145696 145697 32125a2 GetModuleFileNameW 145695->145697 145698 3215239 4 API calls 145696->145698 145697->145696 145699 32125cc 145698->145699 145700 3215239 4 API calls 145699->145700 145701 32125d7 145700->145701 145702 3213536 2 API calls 145701->145702 145702->145646 145704 3213bda 145703->145704 145829 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145704->145829 145706 3213be5 145706->145632 145708 32146d4 2 API calls 145707->145708 145709 3214812 145708->145709 145710 3212283 145709->145710 145711 3215239 4 API calls 145709->145711 145710->145635 145716 32135db 145710->145716 145712 3214828 145711->145712 145713 3215239 4 API calls 145712->145713 145714 3214833 145713->145714 145715 3215239 4 API calls 145714->145715 145715->145710 145830 3212c08 145716->145830 145719 321484b 145720 3214860 VirtualAlloc 145719->145720 145723 32122c4 145719->145723 145721 321487f 145720->145721 145720->145723 145722 32146d4 2 API calls 145721->145722 145724 32148a1 145722->145724 145723->145635 145729 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145723->145729 145724->145723 145725 32148d0 GetCurrentProcess IsWow64Process 145724->145725 145727 3215239 4 API calls 145725->145727 145728 32148fa 145727->145728 145728->145723 145729->145642 145730->145644 145731->145648 145733 32146f2 LoadLibraryA 145732->145733 145734 32146ff 145732->145734 145733->145734 145734->145652 145736 3211fa0 145735->145736 145737 32135db 11 API calls 145736->145737 145738 3211fd8 145737->145738 145739 32135db 11 API calls 145738->145739 145740 3211fe7 GetKeyboardLayoutList 145739->145740 145741 3212042 145740->145741 145745 3212001 145740->145745 145742 32135db 11 API calls 145741->145742 145743 321204e 145742->145743 145743->145659 145743->145662 145744 32135db 11 API calls 145744->145745 145745->145741 145745->145744 145747 3212468 CreateThread CreateThread WaitForMultipleObjects 145746->145747 145748 3214bb8 145746->145748 145773 32119df 145747->145773 146005 3211d3c 145747->146005 146021 321519f 145747->146021 145749 32146d4 2 API calls 145748->145749 145750 3214be9 145749->145750 145750->145747 145751 32146d4 2 API calls 145750->145751 145752 3214bfe 145751->145752 145752->145747 145753 3214c06 KiUserCallbackDispatcher GetSystemMetrics 145752->145753 145754 3214c2b 145753->145754 145755 3214c51 GetDC 145754->145755 145755->145747 145756 3214c65 GetCurrentObject 145755->145756 145757 3214e17 ReleaseDC 145756->145757 145758 3214c78 GetObjectW 145756->145758 145757->145747 145758->145757 145759 3214c8f 145758->145759 145760 32135db 11 API calls 145759->145760 145761 3214caf DeleteObject CreateCompatibleDC 145760->145761 145761->145757 145762 3214d24 CreateDIBSection 145761->145762 145763 3214e10 DeleteDC 145762->145763 145764 3214d45 SelectObject 145762->145764 145763->145757 145765 3214d55 BitBlt 145764->145765 145766 3214e09 DeleteObject 145764->145766 145765->145766 145767 3214d7a 145765->145767 145766->145763 145845 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145767->145845 145769 3214d85 145769->145766 145770 3213d76 10 API calls 145769->145770 145771 3214dfe 145770->145771 145772 3213536 2 API calls 145771->145772 145772->145766 145774 32119ed 145773->145774 145778 3211a26 145773->145778 145776 3211a09 145774->145776 145846 3211000 145774->145846 145777 3211000 57 API calls 145776->145777 145776->145778 145777->145778 145779 3212054 145778->145779 146000 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145779->146000 145781 3212103 GetCurrentHwProfileA 145782 3212117 145781->145782 145783 321212d GetSystemInfo 145781->145783 145785 32135db 11 API calls 145782->145785 145786 32135db 11 API calls 145783->145786 145784 3212079 145784->145781 145787 321212a 145785->145787 145788 321214f 145786->145788 145787->145783 145789 3213536 2 API calls 145788->145789 145790 3212159 GlobalMemoryStatusEx 145789->145790 145791 32135db 11 API calls 145790->145791 145792 3212188 145791->145792 145793 32121db EnumDisplayDevicesA 145792->145793 145795 32135db 11 API calls 145792->145795 145793->145792 145794 32121ee ObtainUserAgentString 145793->145794 145794->145679 145794->145680 145795->145792 145797 3213ea4 LeaveCriticalSection 145796->145797 145798 3213d98 145796->145798 145797->145649 145798->145797 146001 3213d1c 6 API calls 145798->146001 145800 3213dc1 145800->145797 146002 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145800->146002 145802 3213dec 146003 3216c7f EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145802->146003 145804 3213536 2 API calls 145806 3213e4f 145804->145806 145805 3213df6 145805->145804 145807 3213536 2 API calls 145806->145807 145808 3213e9f 145807->145808 145808->145797 145810 3212605 145809->145810 145811 321353a GetProcessHeap RtlFreeHeap 145809->145811 145810->145654 145811->145810 145813 32146d4 2 API calls 145812->145813 145814 32153f0 145813->145814 145815 32153f8 145814->145815 145816 321546d socket 145814->145816 145815->145665 145816->145815 145817 3215491 145816->145817 145817->145815 145818 32154b1 connect 145817->145818 145819 3215517 Sleep 145818->145819 145820 32154c8 send 145818->145820 145819->145817 145820->145819 145821 32154ea send 145820->145821 145821->145819 145822 3215506 145821->145822 145823 3213536 2 API calls 145822->145823 145823->145815 145825 3215288 145824->145825 145826 321525c 145824->145826 145825->145683 145826->145825 146004 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145826->146004 145828->145695 145829->145706 145831 3212c18 145830->145831 145841 3212c26 145830->145841 145842 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145831->145842 145833 3212c76 145834 32122a9 145833->145834 145844 32151f6 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145833->145844 145834->145719 145836 3213036 145837 3213536 2 API calls 145836->145837 145837->145834 145839 3212e29 WideCharToMultiByte 145839->145841 145840 3212eb1 WideCharToMultiByte 145840->145841 145841->145833 145841->145839 145841->145840 145843 3212991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145841->145843 145842->145841 145843->145841 145844->145836 145845->145769 145847 3211412 145846->145847 145848 321101e 145846->145848 145847->145776 145848->145847 145883 321407d GetFileAttributesW 145848->145883 145850 3211035 145850->145847 145884 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145850->145884 145852 3211049 145885 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145852->145885 145854 3211052 145860 32113d5 145854->145860 145886 3213600 145854->145886 145855 3213536 2 API calls 145857 321140b 145855->145857 145859 3213536 2 API calls 145857->145859 145859->145847 145860->145855 145861 32113bd FindNextFileW 145861->145860 145865 3211173 145861->145865 145863 3213eb6 41 API calls 145863->145865 145864 3211389 145864->145865 145877 32140ba 15 API calls 145864->145877 145879 3213600 7 API calls 145864->145879 145882 3213efc 43 API calls 145864->145882 145943 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145864->145943 145944 3213eb6 145864->145944 145865->145861 145865->145863 145865->145864 145869 3213536 GetProcessHeap RtlFreeHeap 145865->145869 145871 3211662 EnterCriticalSection 145865->145871 145875 3213600 7 API calls 145865->145875 145876 3213d76 10 API calls 145865->145876 145881 3211000 53 API calls 145865->145881 145889 321446c 145865->145889 145921 321369c 145865->145921 145925 3211a62 145865->145925 145933 3211c94 145865->145933 145940 3211ba5 145865->145940 145977 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145865->145977 145869->145865 145951 3214e27 145871->145951 145875->145865 145876->145865 145877->145864 145879->145864 145881->145865 145882->145864 145883->145850 145884->145852 145885->145854 145978 3213084 145886->145978 145987 321407d GetFileAttributesW 145889->145987 145891 321447e 145892 32146cd 145891->145892 145988 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145891->145988 145892->145865 145894 3214494 145895 32146c5 145894->145895 145897 3213600 7 API calls 145894->145897 145896 3213536 2 API calls 145895->145896 145896->145892 145898 32144b1 145897->145898 145899 32144cf EnterCriticalSection 145898->145899 145900 3214539 LeaveCriticalSection 145899->145900 145901 321459b 145900->145901 145902 3214552 145900->145902 145901->145895 145903 32145be EnterCriticalSection 145901->145903 145902->145901 145904 321456f 145902->145904 145906 32145f5 LeaveCriticalSection 145903->145906 145990 32142ec 21 API calls 145904->145990 145908 3214691 EnterCriticalSection 145906->145908 145909 321460d 145906->145909 145907 3214574 145907->145901 145910 3214578 145907->145910 145913 32146ba LeaveCriticalSection 145908->145913 145989 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145909->145989 145912 3213536 2 API calls 145910->145912 145915 3214580 145912->145915 145913->145895 145914 3214617 145914->145908 145918 3214634 EnterCriticalSection 145914->145918 145916 321446c 29 API calls 145915->145916 145917 3214594 145916->145917 145917->145892 145919 3214675 LeaveCriticalSection 145918->145919 145919->145908 145920 3214689 145919->145920 145920->145908 145922 32136b0 145921->145922 145924 32136b4 145922->145924 145991 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145922->145991 145924->145865 145926 3211a7a 145925->145926 145928 3211a7f 145925->145928 145992 3211a2d EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145926->145992 145932 3211a84 145928->145932 145993 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145928->145993 145931 3211ab3 145931->145932 145994 3211a4f GetProcessHeap RtlFreeHeap 145931->145994 145932->145865 145934 32146d4 2 API calls 145933->145934 145936 3211ccd 145934->145936 145935 3211cfa 145935->145865 145936->145935 145937 3211cdd CryptUnprotectData 145936->145937 145937->145935 145938 3211d05 145937->145938 145938->145935 145939 3211d0c CryptProtectData 145938->145939 145939->145935 145995 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145940->145995 145942 3211bcb 145942->145865 145943->145864 145945 321446c 37 API calls 145944->145945 145946 3213ecc 145945->145946 145948 3213d76 10 API calls 145946->145948 145950 3213eeb 145946->145950 145947 3213536 2 API calls 145949 3213ef4 145947->145949 145948->145950 145949->145864 145950->145947 145952 3214e49 145951->145952 145953 3214e8a 145951->145953 145954 3213600 7 API calls 145952->145954 145962 321167e LeaveCriticalSection 145953->145962 145996 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145953->145996 145956 3214e80 145954->145956 145998 321407d GetFileAttributesW 145956->145998 145957 3214eaa 145997 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145957->145997 145960 3214eb4 145961 3213600 7 API calls 145960->145961 145963 3214ec2 FindFirstFileW 145961->145963 145962->145865 145964 3215183 145963->145964 145969 3214edf 145963->145969 145965 3213536 2 API calls 145964->145965 145966 321518a 145965->145966 145967 3213536 2 API calls 145966->145967 145967->145962 145968 321516b FindNextFileW 145968->145964 145968->145969 145969->145968 145970 3213600 7 API calls 145969->145970 145971 3214f84 EnterCriticalSection 145969->145971 145975 3214e27 41 API calls 145969->145975 145976 3213eb6 41 API calls 145969->145976 145999 321407d GetFileAttributesW 145969->145999 145970->145969 145973 3214e27 41 API calls 145971->145973 145974 3214f9f LeaveCriticalSection 145973->145974 145974->145968 145975->145969 145976->145969 145977->145865 145984 3213090 145978->145984 145979 3211156 FindFirstFileW 145979->145860 145979->145865 145981 321329d IsDBCSLeadByte 145982 32132aa MultiByteToWideChar 145981->145982 145981->145984 145982->145984 145983 3213308 IsDBCSLeadByte 145983->145984 145984->145979 145984->145981 145984->145983 145985 3213329 MultiByteToWideChar 145984->145985 145986 3212991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145984->145986 145985->145984 145986->145984 145987->145891 145988->145894 145989->145914 145990->145907 145991->145924 145992->145928 145993->145931 145994->145932 145995->145942 145996->145957 145997->145960 145998->145953 145999->145969 146000->145784 146001->145800 146002->145802 146003->145805 146004->145826 146006 3211f25 146005->146006 146007 3211d54 146005->146007 146007->146006 146008 3213600 7 API calls 146007->146008 146009 3211d75 FindFirstFileW 146008->146009 146009->146006 146010 3211d94 146009->146010 146029 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146010->146029 146012 3211f01 FindNextFileW 146014 3211f1c 146012->146014 146017 3211d9e 146012->146017 146013 3213600 7 API calls 146013->146017 146015 3213536 2 API calls 146014->146015 146015->146006 146017->146012 146017->146013 146018 3213536 2 API calls 146017->146018 146019 3211d3c 41 API calls 146017->146019 146020 3213eb6 41 API calls 146017->146020 146030 321408d 146017->146030 146018->146017 146019->146017 146020->146017 146022 32151ad 146021->146022 146023 32151ee 146021->146023 146036 3213508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146022->146036 146025 32151b7 146026 3214e27 45 API calls 146025->146026 146027 32151e7 146025->146027 146026->146025 146028 3213536 2 API calls 146027->146028 146028->146023 146029->146017 146032 3214095 146030->146032 146031 32140a7 146031->146017 146032->146031 146035 3213657 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 146032->146035 146034 32140b7 146034->146017 146035->146034 146036->146025 146037 90f3c4 146048 90f3cd 146037->146048 146038 90f698 std::runtime_error::runtime_error _strlen 146039 90f6f6 InternetOpenUrlA 146038->146039 146040 90f782 InternetReadFile 146039->146040 146041 90f734 FreeLibrary 146039->146041 146042 90f7b2 146040->146042 146043 90f7bb FreeLibrary 146040->146043 146051 90f75f 146041->146051 146042->146040 146042->146043 146060 914c60 146042->146060 146058 90f82a std::ios_base::failure::failure 146043->146058 146045 90f5c9 146049 90f6a0 146045->146049 146050 90f676 146045->146050 146048->146038 146048->146045 146064 901d90 15 API calls 146048->146064 146065 901de0 20 API calls 146048->146065 146067 964870 15 API calls 146049->146067 146066 964870 15 API calls 146050->146066 146068 904120 39 API calls task 146051->146068 146057 90f77a 146069 904120 39 API calls task 146058->146069 146061 914ccd 146060->146061 146063 914c80 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 146060->146063 146061->146063 146070 9019b0 146061->146070 146063->146042 146064->146048 146065->146048 146066->146038 146067->146038 146068->146057 146069->146057 146071 9019d0 Concurrency::task_continuation_context::task_continuation_context 146070->146071 146073 9019dd Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 146071->146073 146081 913fc0 41 API calls std::_Xinvalid_argument 146071->146081 146078 9013d0 146073->146078 146075 901a16 std::ios_base::failure::failure shared_ptr Concurrency::task_continuation_context::task_continuation_context 146076 901a89 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 146075->146076 146082 913410 39 API calls allocator 146075->146082 146076->146063 146083 9013b0 146078->146083 146080 9013f0 allocator Concurrency::task_continuation_context::task_continuation_context 146080->146075 146081->146073 146082->146076 146086 914bc0 146083->146086 146087 914bd0 allocator 146086->146087 146090 901370 146087->146090 146091 901378 allocator 146090->146091 146092 901388 146091->146092 146093 901396 146091->146093 146097 901460 146092->146097 146096 901391 146093->146096 146105 913220 146093->146105 146096->146080 146098 901477 146097->146098 146099 90147c 146097->146099 146108 913d80 RaiseException stdext::threads::lock_error::lock_error std::ios_base::clear 146098->146108 146101 913220 allocator 16 API calls 146099->146101 146103 901485 146101->146103 146104 9014a0 146103->146104 146109 96458f 39 API calls 2 library calls 146103->146109 146104->146096 146110 95fb05 146105->146110 146108->146099 146111 95fb0a 146110->146111 146113 91322c 146111->146113 146116 95fb26 codecvt 146111->146116 146120 964a40 146111->146120 146127 967694 EnterCriticalSection LeaveCriticalSection codecvt 146111->146127 146113->146096 146115 960371 stdext::threads::lock_error::lock_error 146129 96106c RaiseException 146115->146129 146116->146115 146128 96106c RaiseException 146116->146128 146118 96038e 146125 96ac15 _unexpected 146120->146125 146121 96ac53 146131 9653de 14 API calls __dosmaperr 146121->146131 146123 96ac3e RtlAllocateHeap 146124 96ac51 146123->146124 146123->146125 146124->146111 146125->146121 146125->146123 146130 967694 EnterCriticalSection LeaveCriticalSection codecvt 146125->146130 146127->146111 146128->146115 146129->146118 146130->146125 146131->146124 146132 95c900 146139 903200 146132->146139 146134 95c937 std::runtime_error::runtime_error 146135 95c9a0 146134->146135 146143 95c8c0 146134->146143 146146 904120 39 API calls task 146135->146146 146137 95c9fb 146140 903231 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 146139->146140 146147 9014f0 146140->146147 146142 90325a 146142->146134 146154 95ca80 146143->146154 146145 95c8d4 146145->146134 146146->146137 146148 901507 Concurrency::task_continuation_context::task_continuation_context 146147->146148 146150 901511 std::ios_base::failure::failure Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 146148->146150 146153 913fc0 41 API calls std::_Xinvalid_argument 146148->146153 146151 9013d0 Concurrency::task_continuation_context::task_continuation_context 41 API calls 146150->146151 146152 901539 shared_ptr Concurrency::task_continuation_context::task_continuation_context 146150->146152 146151->146152 146152->146142 146153->146150 146155 95cae4 146154->146155 146157 95ca9d Concurrency::task_continuation_context::task_continuation_context 146154->146157 146158 95c700 146155->146158 146157->146145 146159 95c720 Concurrency::task_continuation_context::task_continuation_context 146158->146159 146161 95c72d Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 146159->146161 146166 913fc0 41 API calls std::_Xinvalid_argument 146159->146166 146162 9013d0 Concurrency::task_continuation_context::task_continuation_context 41 API calls 146161->146162 146163 95c766 shared_ptr Concurrency::task_continuation_context::task_continuation_context 146162->146163 146165 95c7d6 Concurrency::task_continuation_context::task_continuation_context 146163->146165 146167 913410 39 API calls allocator 146163->146167 146165->146157 146166->146161 146167->146165 146168 9114b9 146178 9114c2 146168->146178 146169 911779 146246 913fe0 146169->146246 146172 9116a9 146173 911781 146172->146173 146174 911757 146172->146174 146284 964870 15 API calls 146173->146284 146283 964870 15 API calls 146174->146283 146178->146169 146178->146172 146281 901d90 15 API calls 146178->146281 146282 901de0 20 API calls 146178->146282 146180 9119ac 146181 911a84 146180->146181 146182 911a5a 146180->146182 146288 964870 15 API calls 146181->146288 146287 964870 15 API calls 146182->146287 146183 911cbf 146188 911d97 146183->146188 146189 911d6d 146183->146189 146292 964870 15 API calls 146188->146292 146291 964870 15 API calls 146189->146291 146191 9117b3 146191->146180 146202 911a7c 146191->146202 146285 901d90 15 API calls 146191->146285 146286 901de0 20 API calls 146191->146286 146194 911fd2 146196 912080 146194->146196 146197 9120aa 146194->146197 146295 964870 15 API calls 146196->146295 146296 964870 15 API calls 146197->146296 146199 9122ed 146204 9123c4 146199->146204 146205 91239a 146199->146205 146202->146183 146207 911d8f 146202->146207 146289 901d90 15 API calls 146202->146289 146290 901de0 20 API calls 146202->146290 146300 964870 15 API calls 146204->146300 146299 964870 15 API calls 146205->146299 146207->146194 146218 9120a2 146207->146218 146293 901d90 15 API calls 146207->146293 146294 901de0 20 API calls 146207->146294 146210 9125ff 146212 9126d6 146210->146212 146213 9126ac 146210->146213 146304 964870 15 API calls 146212->146304 146303 964870 15 API calls 146213->146303 146215 912911 146221 9129e8 146215->146221 146222 9129be 146215->146222 146218->146199 146223 9123bc 146218->146223 146297 901d90 15 API calls 146218->146297 146298 901de0 20 API calls 146218->146298 146220 913011 146227 91306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 146220->146227 146228 9130ce 146220->146228 146308 964870 15 API calls 146221->146308 146307 964870 15 API calls 146222->146307 146223->146210 146229 9126ce 146223->146229 146301 901d90 15 API calls 146223->146301 146302 901de0 20 API calls 146223->146302 146227->146228 146333 32121f5 99 API calls 146227->146333 146229->146215 146242 9129e0 146229->146242 146305 901d90 15 API calls 146229->146305 146306 901de0 20 API calls 146229->146306 146231 912cd3 146311 964870 15 API calls 146231->146311 146232 912cfd 146312 964870 15 API calls 146232->146312 146233 912c26 146233->146231 146233->146232 146237 912f42 146239 913019 146237->146239 146240 912fef 146237->146240 146316 964870 15 API calls 146239->146316 146315 964870 15 API calls 146240->146315 146242->146233 146245 912cf5 146242->146245 146309 901d90 15 API calls 146242->146309 146310 901de0 20 API calls 146242->146310 146245->146220 146245->146237 146313 901d90 15 API calls 146245->146313 146314 901de0 20 API calls 146245->146314 146264 91400f 146246->146264 146247 914bae 146247->146191 146248 9141c0 146250 914274 146248->146250 146251 91424a 146248->146251 146322 964870 15 API calls 146250->146322 146321 964870 15 API calls 146251->146321 146255 914473 146257 914527 146255->146257 146258 9144fd 146255->146258 146326 964870 15 API calls 146257->146326 146325 964870 15 API calls 146258->146325 146261 914717 146265 9147a1 146261->146265 146266 9147cb 146261->146266 146264->146248 146268 91426c 146264->146268 146319 901d90 15 API calls 146264->146319 146320 901de0 20 API calls 146264->146320 146329 964870 15 API calls 146265->146329 146330 964870 15 API calls 146266->146330 146268->146255 146273 91451f 146268->146273 146323 901d90 15 API calls 146268->146323 146324 901de0 20 API calls 146268->146324 146272 9149bb 146272->146247 146274 914a6d GetModuleHandleA GetProcAddress 146272->146274 146273->146261 146276 9147c3 146273->146276 146327 901d90 15 API calls 146273->146327 146328 901de0 20 API calls 146273->146328 146277 914a9f codecvt 146274->146277 146276->146272 146331 901d90 15 API calls 146276->146331 146332 901de0 20 API calls 146276->146332 146278 914b3a VirtualProtect VirtualProtect 146277->146278 146317 960910 146278->146317 146280 914b84 VirtualProtect 146280->146247 146281->146178 146282->146178 146283->146169 146284->146169 146285->146191 146286->146191 146287->146202 146288->146202 146289->146202 146290->146202 146291->146207 146292->146207 146293->146207 146294->146207 146295->146218 146296->146218 146297->146218 146298->146218 146299->146223 146300->146223 146301->146223 146302->146223 146303->146229 146304->146229 146305->146229 146306->146229 146307->146242 146308->146242 146309->146242 146310->146242 146311->146245 146312->146245 146313->146245 146314->146245 146315->146220 146316->146220 146318 960928 146317->146318 146318->146280 146318->146318 146319->146264 146320->146264 146321->146268 146322->146268 146323->146268 146324->146268 146325->146273 146326->146273 146327->146273 146328->146273 146329->146276 146330->146276 146331->146276 146332->146276 146334 927eea 146335 927ef2 146334->146335 146336 918b77 VirtualAlloc 146334->146336 146354 918ba8 146336->146354 146337 9197c2 146343 919815 VirtualAlloc 146337->146343 146389 91985a 146337->146389 146339 918e91 146489 964870 15 API calls 146339->146489 146340 918e67 146488 964870 15 API calls 146340->146488 146341 918db3 146341->146339 146341->146340 146348 91983f 146343->146348 146343->146389 146346 9190cc 146349 9191a4 146346->146349 146350 91917a 146346->146350 146502 96106c RaiseException 146348->146502 146493 964870 15 API calls 146349->146493 146492 964870 15 API calls 146350->146492 146354->146341 146357 918e89 146354->146357 146486 901d90 15 API calls 146354->146486 146487 901de0 20 API calls 146354->146487 146357->146346 146369 91919c 146357->146369 146490 901d90 15 API calls 146357->146490 146491 901de0 20 API calls 146357->146491 146358 9194b7 146497 964870 15 API calls 146358->146497 146359 91948d 146496 964870 15 API calls 146359->146496 146360 9193df 146360->146358 146360->146359 146364 9196f2 146366 9197a0 146364->146366 146367 9197ca 146364->146367 146500 964870 15 API calls 146366->146500 146501 964870 15 API calls 146367->146501 146369->146360 146372 9194af 146369->146372 146494 901d90 15 API calls 146369->146494 146495 901de0 20 API calls 146369->146495 146372->146337 146372->146364 146498 901d90 15 API calls 146372->146498 146499 901de0 20 API calls 146372->146499 146373 919a68 146375 919b40 146373->146375 146376 919b16 146373->146376 146506 964870 15 API calls 146375->146506 146505 964870 15 API calls 146376->146505 146380 919d7b 146382 919e53 146380->146382 146383 919e29 146380->146383 146510 964870 15 API calls 146382->146510 146509 964870 15 API calls 146383->146509 146386 91a09a 146390 91a172 146386->146390 146391 91a148 146386->146391 146389->146373 146394 919b38 146389->146394 146503 901d90 15 API calls 146389->146503 146504 901de0 20 API calls 146389->146504 146514 964870 15 API calls 146390->146514 146513 964870 15 API calls 146391->146513 146394->146380 146402 919e4b 146394->146402 146507 901d90 15 API calls 146394->146507 146508 901de0 20 API calls 146394->146508 146397 91a485 146518 964870 15 API calls 146397->146518 146398 91a45b 146517 964870 15 API calls 146398->146517 146399 91a3ad 146399->146397 146399->146398 146400 91a6ca 146406 91a7a2 146400->146406 146407 91a778 146400->146407 146402->146386 146409 91a16a 146402->146409 146511 901d90 15 API calls 146402->146511 146512 901de0 20 API calls 146402->146512 146522 964870 15 API calls 146406->146522 146521 964870 15 API calls 146407->146521 146409->146399 146416 91a47d 146409->146416 146515 901d90 15 API calls 146409->146515 146516 901de0 20 API calls 146409->146516 146413 91aab5 146526 964870 15 API calls 146413->146526 146414 91aa8b 146525 964870 15 API calls 146414->146525 146415 91a9dd 146415->146413 146415->146414 146416->146400 146427 91a79a 146416->146427 146519 901d90 15 API calls 146416->146519 146520 901de0 20 API calls 146416->146520 146420 91ad04 146422 91adb2 146420->146422 146423 91addc 146420->146423 146529 964870 15 API calls 146422->146529 146530 964870 15 API calls 146423->146530 146425 91b017 146430 91b0c5 146425->146430 146431 91b0ef 146425->146431 146427->146415 146435 91aaad 146427->146435 146523 901d90 15 API calls 146427->146523 146524 901de0 20 API calls 146427->146524 146533 964870 15 API calls 146430->146533 146534 964870 15 API calls 146431->146534 146433 91b336 146438 91b3e4 146433->146438 146439 91b40e 146433->146439 146435->146420 146441 91add4 146435->146441 146527 901d90 15 API calls 146435->146527 146528 901de0 20 API calls 146435->146528 146537 964870 15 API calls 146438->146537 146538 964870 15 API calls 146439->146538 146441->146425 146448 91b0e7 146441->146448 146531 901d90 15 API calls 146441->146531 146532 901de0 20 API calls 146441->146532 146445 91b661 146446 91b715 146445->146446 146447 91b73f 146445->146447 146541 964870 15 API calls 146446->146541 146542 964870 15 API calls 146447->146542 146448->146433 146454 91b406 146448->146454 146535 901d90 15 API calls 146448->146535 146536 901de0 20 API calls 146448->146536 146453 91b9af 146455 91ba63 146453->146455 146456 91ba8d 146453->146456 146454->146445 146463 91b737 codecvt 146454->146463 146539 901d90 15 API calls 146454->146539 146540 901de0 20 API calls 146454->146540 146545 964870 15 API calls 146455->146545 146546 964870 15 API calls 146456->146546 146457 91c4b7 146459 91bce0 146464 91bd94 146459->146464 146465 91bdbe 146459->146465 146463->146453 146471 91ba85 146463->146471 146543 901d90 15 API calls 146463->146543 146544 901de0 20 API calls 146463->146544 146549 964870 15 API calls 146464->146549 146550 964870 15 API calls 146465->146550 146470 91c0b2 146472 91c165 146470->146472 146473 91c18f 146470->146473 146471->146459 146482 91bdb6 codecvt 146471->146482 146547 901d90 15 API calls 146471->146547 146548 901de0 20 API calls 146471->146548 146553 964870 15 API calls 146472->146553 146554 964870 15 API calls 146473->146554 146478 91c3e2 146479 91c495 146478->146479 146480 91c4bf 146478->146480 146557 964870 15 API calls 146479->146557 146558 964870 15 API calls 146480->146558 146482->146470 146485 91c187 146482->146485 146551 901d90 15 API calls 146482->146551 146552 901de0 20 API calls 146482->146552 146485->146457 146485->146478 146555 901d90 15 API calls 146485->146555 146556 901de0 20 API calls 146485->146556 146486->146354 146487->146354 146488->146357 146489->146357 146490->146357 146491->146357 146492->146369 146493->146369 146494->146369 146495->146369 146496->146372 146497->146372 146498->146372 146499->146372 146500->146337 146501->146337 146502->146389 146503->146389 146504->146389 146505->146394 146506->146394 146507->146394 146508->146394 146509->146402 146510->146402 146511->146402 146512->146402 146513->146409 146514->146409 146515->146409 146516->146409 146517->146416 146518->146416 146519->146416 146520->146416 146521->146427 146522->146427 146523->146427 146524->146427 146525->146435 146526->146435 146527->146435 146528->146435 146529->146441 146530->146441 146531->146441 146532->146441 146533->146448 146534->146448 146535->146448 146536->146448 146537->146454 146538->146454 146539->146454 146540->146454 146541->146463 146542->146463 146543->146463 146544->146463 146545->146471 146546->146471 146547->146471 146548->146471 146549->146482 146550->146482 146551->146482 146552->146482 146553->146485 146554->146485 146555->146485 146556->146485 146557->146457 146558->146457 146559 915d29 146569 915d32 146559->146569 146561 916006 146834 964870 15 API calls 146561->146834 146562 915fdc 146833 964870 15 API calls 146562->146833 146563 915f2e 146563->146561 146563->146562 146568 916250 146570 916327 146568->146570 146571 9162fd 146568->146571 146569->146563 146580 915ffe 146569->146580 146831 901d90 15 API calls 146569->146831 146832 901de0 20 API calls 146569->146832 146838 964870 15 API calls 146570->146838 146837 964870 15 API calls 146571->146837 146576 916562 146577 916639 146576->146577 146578 91660f 146576->146578 146842 964870 15 API calls 146577->146842 146841 964870 15 API calls 146578->146841 146580->146568 146590 91631f 146580->146590 146802 91c4b7 146580->146802 146835 901d90 15 API calls 146580->146835 146836 901de0 20 API calls 146580->146836 146583 916880 146585 916958 146583->146585 146586 91692e 146583->146586 146846 964870 15 API calls 146585->146846 146845 964870 15 API calls 146586->146845 146588 916b93 146593 916c41 146588->146593 146594 916c6b 146588->146594 146590->146576 146598 916631 146590->146598 146839 901d90 15 API calls 146590->146839 146840 901de0 20 API calls 146590->146840 146849 964870 15 API calls 146593->146849 146850 964870 15 API calls 146594->146850 146596 916eb7 146601 916f64 146596->146601 146602 916f8e 146596->146602 146598->146583 146605 916950 146598->146605 146843 901d90 15 API calls 146598->146843 146844 901de0 20 API calls 146598->146844 146853 964870 15 API calls 146601->146853 146854 964870 15 API calls 146602->146854 146603 9171c9 146609 9172a0 146603->146609 146610 917276 146603->146610 146605->146588 146611 916c63 146605->146611 146847 901d90 15 API calls 146605->146847 146848 901de0 20 API calls 146605->146848 146858 964870 15 API calls 146609->146858 146857 964870 15 API calls 146610->146857 146611->146596 146623 916f86 146611->146623 146851 901d90 15 API calls 146611->146851 146852 901de0 20 API calls 146611->146852 146615 9174e7 146617 917595 146615->146617 146618 9175bf 146615->146618 146861 964870 15 API calls 146617->146861 146862 964870 15 API calls 146618->146862 146621 9177fa 146625 9178d2 146621->146625 146626 9178a8 146621->146626 146623->146603 146630 917298 146623->146630 146855 901d90 15 API calls 146623->146855 146856 901de0 20 API calls 146623->146856 146866 964870 15 API calls 146625->146866 146865 964870 15 API calls 146626->146865 146628 917b0d 146633 917be5 146628->146633 146634 917bbb 146628->146634 146630->146615 146637 9175b7 146630->146637 146859 901d90 15 API calls 146630->146859 146860 901de0 20 API calls 146630->146860 146870 964870 15 API calls 146633->146870 146869 964870 15 API calls 146634->146869 146635 917e20 146642 917ef8 146635->146642 146643 917ece 146635->146643 146637->146621 146644 9178ca 146637->146644 146863 901d90 15 API calls 146637->146863 146864 901de0 20 API calls 146637->146864 146641 918b71 VirtualAlloc 146700 918ba8 146641->146700 146874 964870 15 API calls 146642->146874 146873 964870 15 API calls 146643->146873 146644->146628 146657 917bdd 146644->146657 146867 901d90 15 API calls 146644->146867 146868 901de0 20 API calls 146644->146868 146648 918133 146650 9181e1 146648->146650 146651 91820b 146648->146651 146877 964870 15 API calls 146650->146877 146878 964870 15 API calls 146651->146878 146655 918446 146658 9184f4 146655->146658 146659 91851e 146655->146659 146657->146635 146663 917ef0 146657->146663 146871 901d90 15 API calls 146657->146871 146872 901de0 20 API calls 146657->146872 146881 964870 15 API calls 146658->146881 146882 964870 15 API calls 146659->146882 146661 918759 146666 918831 146661->146666 146667 918807 146661->146667 146663->146648 146670 918203 146663->146670 146875 901d90 15 API calls 146663->146875 146876 901de0 20 API calls 146663->146876 146886 964870 15 API calls 146666->146886 146885 964870 15 API calls 146667->146885 146668 918a6c 146675 918b44 146668->146675 146676 918b1a 146668->146676 146670->146655 146678 918516 146670->146678 146879 901d90 15 API calls 146670->146879 146880 901de0 20 API calls 146670->146880 146674 9197c2 146690 919815 VirtualAlloc 146674->146690 146735 91985a 146674->146735 146890 964870 15 API calls 146675->146890 146889 964870 15 API calls 146676->146889 146678->146661 146686 918829 146678->146686 146883 901d90 15 API calls 146678->146883 146884 901de0 20 API calls 146678->146884 146682 918e91 146894 964870 15 API calls 146682->146894 146683 918e67 146893 964870 15 API calls 146683->146893 146684 918b3c 146684->146641 146685 918db3 146685->146682 146685->146683 146686->146641 146686->146668 146887 901d90 15 API calls 146686->146887 146888 901de0 20 API calls 146686->146888 146693 91983f 146690->146693 146690->146735 146691 9190cc 146694 9191a4 146691->146694 146695 91917a 146691->146695 146907 96106c RaiseException 146693->146907 146898 964870 15 API calls 146694->146898 146897 964870 15 API calls 146695->146897 146697 9193df 146703 9194b7 146697->146703 146704 91948d 146697->146704 146700->146685 146708 918e89 146700->146708 146891 901d90 15 API calls 146700->146891 146892 901de0 20 API calls 146700->146892 146902 964870 15 API calls 146703->146902 146901 964870 15 API calls 146704->146901 146706 9196f2 146711 9197a0 146706->146711 146712 9197ca 146706->146712 146708->146691 146714 91919c 146708->146714 146895 901d90 15 API calls 146708->146895 146896 901de0 20 API calls 146708->146896 146905 964870 15 API calls 146711->146905 146906 964870 15 API calls 146712->146906 146714->146697 146717 9194af 146714->146717 146899 901d90 15 API calls 146714->146899 146900 901de0 20 API calls 146714->146900 146717->146674 146717->146706 146903 901d90 15 API calls 146717->146903 146904 901de0 20 API calls 146717->146904 146718 919a68 146720 919b40 146718->146720 146721 919b16 146718->146721 146911 964870 15 API calls 146720->146911 146910 964870 15 API calls 146721->146910 146725 919d7b 146727 919e53 146725->146727 146728 919e29 146725->146728 146915 964870 15 API calls 146727->146915 146914 964870 15 API calls 146728->146914 146731 91a09a 146737 91a172 146731->146737 146738 91a148 146731->146738 146733 91a47d 146749 91a6ca 146733->146749 146752 91a79a 146733->146752 146924 901d90 15 API calls 146733->146924 146925 901de0 20 API calls 146733->146925 146735->146718 146743 919b38 146735->146743 146908 901d90 15 API calls 146735->146908 146909 901de0 20 API calls 146735->146909 146736 919e4b 146736->146731 146742 91a16a 146736->146742 146916 901d90 15 API calls 146736->146916 146917 901de0 20 API calls 146736->146917 146919 964870 15 API calls 146737->146919 146918 964870 15 API calls 146738->146918 146741 91a3ad 146746 91a485 146741->146746 146747 91a45b 146741->146747 146742->146733 146742->146741 146920 901d90 15 API calls 146742->146920 146921 901de0 20 API calls 146742->146921 146743->146725 146743->146736 146912 901d90 15 API calls 146743->146912 146913 901de0 20 API calls 146743->146913 146923 964870 15 API calls 146746->146923 146922 964870 15 API calls 146747->146922 146754 91a7a2 146749->146754 146755 91a778 146749->146755 146757 91a9dd 146752->146757 146768 91aaad 146752->146768 146928 901d90 15 API calls 146752->146928 146929 901de0 20 API calls 146752->146929 146927 964870 15 API calls 146754->146927 146926 964870 15 API calls 146755->146926 146761 91aab5 146757->146761 146762 91aa8b 146757->146762 146931 964870 15 API calls 146761->146931 146930 964870 15 API calls 146762->146930 146766 91ad04 146769 91adb2 146766->146769 146770 91addc 146766->146770 146768->146766 146786 91add4 146768->146786 146932 901d90 15 API calls 146768->146932 146933 901de0 20 API calls 146768->146933 146934 964870 15 API calls 146769->146934 146935 964870 15 API calls 146770->146935 146772 91b017 146776 91b0c5 146772->146776 146777 91b0ef 146772->146777 146938 964870 15 API calls 146776->146938 146939 964870 15 API calls 146777->146939 146779 91b336 146783 91b3e4 146779->146783 146784 91b40e 146779->146784 146942 964870 15 API calls 146783->146942 146943 964870 15 API calls 146784->146943 146786->146772 146793 91b0e7 146786->146793 146936 901d90 15 API calls 146786->146936 146937 901de0 20 API calls 146786->146937 146790 91b661 146791 91b715 146790->146791 146792 91b73f 146790->146792 146946 964870 15 API calls 146791->146946 146947 964870 15 API calls 146792->146947 146793->146779 146799 91b406 146793->146799 146940 901d90 15 API calls 146793->146940 146941 901de0 20 API calls 146793->146941 146798 91b9af 146800 91ba63 146798->146800 146801 91ba8d 146798->146801 146799->146790 146811 91b737 codecvt 146799->146811 146944 901d90 15 API calls 146799->146944 146945 901de0 20 API calls 146799->146945 146950 964870 15 API calls 146800->146950 146951 964870 15 API calls 146801->146951 146804 91bce0 146808 91bd94 146804->146808 146809 91bdbe 146804->146809 146954 964870 15 API calls 146808->146954 146955 964870 15 API calls 146809->146955 146811->146798 146816 91ba85 146811->146816 146948 901d90 15 API calls 146811->146948 146949 901de0 20 API calls 146811->146949 146815 91c0b2 146817 91c165 146815->146817 146818 91c18f 146815->146818 146816->146804 146827 91bdb6 codecvt 146816->146827 146952 901d90 15 API calls 146816->146952 146953 901de0 20 API calls 146816->146953 146958 964870 15 API calls 146817->146958 146959 964870 15 API calls 146818->146959 146820 91c3e2 146824 91c495 146820->146824 146825 91c4bf 146820->146825 146962 964870 15 API calls 146824->146962 146963 964870 15 API calls 146825->146963 146827->146815 146830 91c187 146827->146830 146956 901d90 15 API calls 146827->146956 146957 901de0 20 API calls 146827->146957 146830->146802 146830->146820 146960 901d90 15 API calls 146830->146960 146961 901de0 20 API calls 146830->146961 146831->146569 146832->146569 146833->146580 146834->146580 146835->146580 146836->146580 146837->146590 146838->146590 146839->146590 146840->146590 146841->146598 146842->146598 146843->146598 146844->146598 146845->146605 146846->146605 146847->146605 146848->146605 146849->146611 146850->146611 146851->146611 146852->146611 146853->146623 146854->146623 146855->146623 146856->146623 146857->146630 146858->146630 146859->146630 146860->146630 146861->146637 146862->146637 146863->146637 146864->146637 146865->146644 146866->146644 146867->146644 146868->146644 146869->146657 146870->146657 146871->146657 146872->146657 146873->146663 146874->146663 146875->146663 146876->146663 146877->146670 146878->146670 146879->146670 146880->146670 146881->146678 146882->146678 146883->146678 146884->146678 146885->146686 146886->146686 146887->146686 146888->146686 146889->146684 146890->146684 146891->146700 146892->146700 146893->146708 146894->146708 146895->146708 146896->146708 146897->146714 146898->146714 146899->146714 146900->146714 146901->146717 146902->146717 146903->146717 146904->146717 146905->146674 146906->146674 146907->146735 146908->146735 146909->146735 146910->146743 146911->146743 146912->146743 146913->146743 146914->146736 146915->146736 146916->146736 146917->146736 146918->146742 146919->146742 146920->146742 146921->146742 146922->146733 146923->146733 146924->146733 146925->146733 146926->146752 146927->146752 146928->146752 146929->146752 146930->146768 146931->146768 146932->146768 146933->146768 146934->146786 146935->146786 146936->146786 146937->146786 146938->146793 146939->146793 146940->146793 146941->146793 146942->146799 146943->146799 146944->146799 146945->146799 146946->146811 146947->146811 146948->146811 146949->146811 146950->146816 146951->146816 146952->146816 146953->146816 146954->146827 146955->146827 146956->146827 146957->146827 146958->146830 146959->146830 146960->146830 146961->146830 146962->146802 146963->146802 146964 905ed9 146975 905ee2 146964->146975 146965 9061f5 LoadLibraryA 146966 906205 146965->146966 146989 90621e 146965->146989 146967 9060de 146969 9061b6 146967->146969 146970 90618c 146967->146970 147382 964870 15 API calls 146969->147382 147381 964870 15 API calls 146970->147381 146974 9061ae 146974->146965 146975->146967 146975->146974 147379 901d90 15 API calls 146975->147379 147380 901de0 20 API calls 146975->147380 146976 90680d 146977 906854 GetProcAddress 146976->146977 147006 906877 146977->147006 146979 90642c 146980 906503 146979->146980 146981 9064d9 146979->146981 147386 964870 15 API calls 146980->147386 147385 964870 15 API calls 146981->147385 146982 90673e 146987 906815 146982->146987 146988 9067eb 146982->146988 147390 964870 15 API calls 146987->147390 147389 964870 15 API calls 146988->147389 146989->146979 146993 9064fb 146989->146993 147383 901d90 15 API calls 146989->147383 147384 901de0 20 API calls 146989->147384 146993->146976 146993->146982 147387 901d90 15 API calls 146993->147387 147388 901de0 20 API calls 146993->147388 146995 906a73 146996 906b21 146995->146996 146997 906b4b 146995->146997 147393 964870 15 API calls 146996->147393 147394 964870 15 API calls 146997->147394 146999 906d86 147003 906e34 146999->147003 147004 906e5e 146999->147004 147397 964870 15 API calls 147003->147397 147398 964870 15 API calls 147004->147398 147006->146995 147017 906b43 147006->147017 147391 901d90 15 API calls 147006->147391 147392 901de0 20 API calls 147006->147392 147009 907099 147011 907171 147009->147011 147012 907147 147009->147012 147402 964870 15 API calls 147011->147402 147401 964870 15 API calls 147012->147401 147017->146999 147023 906e56 147017->147023 147395 901d90 15 API calls 147017->147395 147396 901de0 20 API calls 147017->147396 147018 9073ac 147019 907484 147018->147019 147020 90745a 147018->147020 147406 964870 15 API calls 147019->147406 147405 964870 15 API calls 147020->147405 147023->147009 147031 907169 147023->147031 147399 901d90 15 API calls 147023->147399 147400 901de0 20 API calls 147023->147400 147026 907797 147410 964870 15 API calls 147026->147410 147027 90776d 147409 964870 15 API calls 147027->147409 147028 9076bf 147028->147026 147028->147027 147029 9079d2 147035 907a80 147029->147035 147036 907aaa 147029->147036 147031->147018 147038 90747c 147031->147038 147403 901d90 15 API calls 147031->147403 147404 901de0 20 API calls 147031->147404 147413 964870 15 API calls 147035->147413 147414 964870 15 API calls 147036->147414 147038->147028 147045 90778f 147038->147045 147407 901d90 15 API calls 147038->147407 147408 901de0 20 API calls 147038->147408 147042 907d93 147417 964870 15 API calls 147042->147417 147043 907dbd 147418 964870 15 API calls 147043->147418 147044 907ce5 147044->147042 147044->147043 147045->147029 147058 907aa2 147045->147058 147411 901d90 15 API calls 147045->147411 147412 901de0 20 API calls 147045->147412 147049 9086ee 147051 908735 GetProcAddress 147049->147051 147090 908758 147051->147090 147052 907ff8 147053 9080d0 147052->147053 147054 9080a6 147052->147054 147422 964870 15 API calls 147053->147422 147421 964870 15 API calls 147054->147421 147056 90830b 147061 9083e3 147056->147061 147062 9083b9 147056->147062 147058->147044 147066 907db5 147058->147066 147415 901d90 15 API calls 147058->147415 147416 901de0 20 API calls 147058->147416 147426 964870 15 API calls 147061->147426 147425 964870 15 API calls 147062->147425 147064 90861e 147069 9086f6 147064->147069 147070 9086cc 147064->147070 147066->147052 147072 9080c8 147066->147072 147419 901d90 15 API calls 147066->147419 147420 901de0 20 API calls 147066->147420 147430 964870 15 API calls 147069->147430 147429 964870 15 API calls 147070->147429 147072->147056 147075 9083db 147072->147075 147423 901d90 15 API calls 147072->147423 147424 901de0 20 API calls 147072->147424 147075->147049 147075->147064 147427 901d90 15 API calls 147075->147427 147428 901de0 20 API calls 147075->147428 147077 908954 147078 908a02 147077->147078 147079 908a2c 147077->147079 147433 964870 15 API calls 147078->147433 147434 964870 15 API calls 147079->147434 147083 908c67 147085 908d15 147083->147085 147086 908d3f 147083->147086 147437 964870 15 API calls 147085->147437 147438 964870 15 API calls 147086->147438 147090->147077 147099 908a24 147090->147099 147431 901d90 15 API calls 147090->147431 147432 901de0 20 API calls 147090->147432 147092 908f7a 147094 909052 147092->147094 147095 909028 147092->147095 147093 9099a1 147102 9099e8 GetProcAddress 147093->147102 147442 964870 15 API calls 147094->147442 147441 964870 15 API calls 147095->147441 147097 90928d 147103 909365 147097->147103 147104 90933b 147097->147104 147099->147083 147107 908d37 147099->147107 147435 901d90 15 API calls 147099->147435 147436 901de0 20 API calls 147099->147436 147141 909a14 147102->147141 147446 964870 15 API calls 147103->147446 147445 964870 15 API calls 147104->147445 147105 9095a0 147111 909678 147105->147111 147112 90964e 147105->147112 147107->147092 147113 90904a 147107->147113 147439 901d90 15 API calls 147107->147439 147440 901de0 20 API calls 147107->147440 147450 964870 15 API calls 147111->147450 147449 964870 15 API calls 147112->147449 147113->147097 147122 90935d 147113->147122 147443 901d90 15 API calls 147113->147443 147444 901de0 20 API calls 147113->147444 147118 9098cb 147119 9099a9 147118->147119 147120 90997f 147118->147120 147454 964870 15 API calls 147119->147454 147453 964870 15 API calls 147120->147453 147121 909670 147121->147093 147121->147118 147451 901d90 15 API calls 147121->147451 147452 901de0 20 API calls 147121->147452 147122->147105 147122->147121 147447 901d90 15 API calls 147122->147447 147448 901de0 20 API calls 147122->147448 147127 909c1f 147128 909cd2 147127->147128 147129 909cfc 147127->147129 147457 964870 15 API calls 147128->147457 147458 964870 15 API calls 147129->147458 147131 909f4f 147135 90a002 147131->147135 147136 90a02c 147131->147136 147461 964870 15 API calls 147135->147461 147462 964870 15 API calls 147136->147462 147137 909cf4 147137->147131 147144 90a024 147137->147144 147459 901d90 15 API calls 147137->147459 147460 901de0 20 API calls 147137->147460 147139 90a27f 147145 90a332 147139->147145 147146 90a35c 147139->147146 147141->147127 147141->147137 147455 901d90 15 API calls 147141->147455 147456 901de0 20 API calls 147141->147456 147144->147139 147163 90a354 147144->147163 147463 901d90 15 API calls 147144->147463 147464 901de0 20 API calls 147144->147464 147465 964870 15 API calls 147145->147465 147466 964870 15 API calls 147146->147466 147147 90a5af 147152 90a662 147147->147152 147153 90a68c 147147->147153 147469 964870 15 API calls 147152->147469 147470 964870 15 API calls 147153->147470 147157 90a8df 147159 90a992 147157->147159 147160 90a9bc 147157->147160 147473 964870 15 API calls 147159->147473 147474 964870 15 API calls 147160->147474 147163->147147 147173 90a684 147163->147173 147467 901d90 15 API calls 147163->147467 147468 901de0 20 API calls 147163->147468 147166 90ac0f 147167 90acc2 147166->147167 147168 90acec 147166->147168 147477 964870 15 API calls 147167->147477 147478 964870 15 API calls 147168->147478 147170 90b674 147176 90b6bb GetProcAddress 147170->147176 147171 90af3f 147177 90aff2 147171->147177 147178 90b01c 147171->147178 147173->147157 147181 90a9b4 147173->147181 147471 901d90 15 API calls 147173->147471 147472 901de0 20 API calls 147173->147472 147215 90b6e7 147176->147215 147481 964870 15 API calls 147177->147481 147482 964870 15 API calls 147178->147482 147179 90b26f 147185 90b322 147179->147185 147186 90b34c 147179->147186 147181->147166 147187 90ace4 147181->147187 147475 901d90 15 API calls 147181->147475 147476 901de0 20 API calls 147181->147476 147485 964870 15 API calls 147185->147485 147486 964870 15 API calls 147186->147486 147187->147171 147197 90b014 147187->147197 147479 901d90 15 API calls 147187->147479 147480 901de0 20 API calls 147187->147480 147191 90b59f 147193 90b652 147191->147193 147194 90b67c 147191->147194 147489 964870 15 API calls 147193->147489 147490 964870 15 API calls 147194->147490 147197->147179 147199 90b344 147197->147199 147483 901d90 15 API calls 147197->147483 147484 901de0 20 API calls 147197->147484 147199->147170 147199->147191 147487 901d90 15 API calls 147199->147487 147488 901de0 20 API calls 147199->147488 147201 90b8f2 147202 90b9d0 147201->147202 147203 90b9a6 147201->147203 147494 964870 15 API calls 147202->147494 147493 964870 15 API calls 147203->147493 147204 90c68c 147205 90c6e5 FreeLibrary 147204->147205 147255 90c708 147204->147255 147205->146966 147207 90bc23 147211 90bd01 147207->147211 147212 90bcd7 147207->147212 147498 964870 15 API calls 147211->147498 147497 964870 15 API calls 147212->147497 147215->147201 147222 90b9c8 147215->147222 147491 901d90 15 API calls 147215->147491 147492 901de0 20 API calls 147215->147492 147218 90bf54 147219 90c032 147218->147219 147220 90c008 147218->147220 147502 964870 15 API calls 147219->147502 147501 964870 15 API calls 147220->147501 147222->147207 147229 90bcf9 147222->147229 147495 901d90 15 API calls 147222->147495 147496 901de0 20 API calls 147222->147496 147226 90c363 147506 964870 15 API calls 147226->147506 147227 90c339 147505 964870 15 API calls 147227->147505 147228 90c285 147228->147226 147228->147227 147229->147218 147238 90c02a 147229->147238 147499 901d90 15 API calls 147229->147499 147500 901de0 20 API calls 147229->147500 147233 90c5b6 147235 90c694 147233->147235 147236 90c66a 147233->147236 147510 964870 15 API calls 147235->147510 147509 964870 15 API calls 147236->147509 147238->147228 147241 90c35b 147238->147241 147503 901d90 15 API calls 147238->147503 147504 901de0 20 API calls 147238->147504 147241->147204 147241->147233 147507 901d90 15 API calls 147241->147507 147508 901de0 20 API calls 147241->147508 147243 90c92e 147244 90c9e1 147243->147244 147245 90ca0b 147243->147245 147513 964870 15 API calls 147244->147513 147514 964870 15 API calls 147245->147514 147247 90cc5e 147251 90cd11 147247->147251 147252 90cd3b 147247->147252 147517 964870 15 API calls 147251->147517 147518 964870 15 API calls 147252->147518 147253 90cf8e 147259 90d041 147253->147259 147260 90d06b 147253->147260 147255->147243 147261 90ca03 147255->147261 147511 901d90 15 API calls 147255->147511 147512 901de0 20 API calls 147255->147512 147521 964870 15 API calls 147259->147521 147522 964870 15 API calls 147260->147522 147261->147247 147269 90cd33 147261->147269 147515 901d90 15 API calls 147261->147515 147516 901de0 20 API calls 147261->147516 147266 90d371 147525 964870 15 API calls 147266->147525 147267 90d39b 147526 964870 15 API calls 147267->147526 147268 90d2be 147268->147266 147268->147267 147269->147253 147278 90d063 147269->147278 147519 901d90 15 API calls 147269->147519 147520 901de0 20 API calls 147269->147520 147274 90d5ee 147275 90d6a1 147274->147275 147276 90d6cb 147274->147276 147529 964870 15 API calls 147275->147529 147530 964870 15 API calls 147276->147530 147278->147268 147281 90d393 147278->147281 147523 901d90 15 API calls 147278->147523 147524 901de0 20 API calls 147278->147524 147281->147274 147294 90d6c3 147281->147294 147527 901d90 15 API calls 147281->147527 147528 901de0 20 API calls 147281->147528 147283 90d936 147284 90da13 147283->147284 147285 90d9e9 147283->147285 147534 964870 15 API calls 147284->147534 147533 964870 15 API calls 147285->147533 147287 90dc66 147291 90dd43 147287->147291 147292 90dd19 147287->147292 147538 964870 15 API calls 147291->147538 147537 964870 15 API calls 147292->147537 147294->147283 147301 90da0b 147294->147301 147531 901d90 15 API calls 147294->147531 147532 901de0 20 API calls 147294->147532 147298 90df96 147299 90e073 147298->147299 147300 90e049 147298->147300 147542 964870 15 API calls 147299->147542 147541 964870 15 API calls 147300->147541 147301->147287 147314 90dd3b 147301->147314 147535 901d90 15 API calls 147301->147535 147536 901de0 20 API calls 147301->147536 147305 90e9dd 147308 90ea38 InternetOpenA 147305->147308 147306 90e2c6 147309 90e3a3 147306->147309 147310 90e379 147306->147310 147345 90ea57 147308->147345 147546 964870 15 API calls 147309->147546 147545 964870 15 API calls 147310->147545 147312 90e5de 147317 90e6b5 147312->147317 147318 90e68b 147312->147318 147314->147298 147322 90e06b 147314->147322 147539 901d90 15 API calls 147314->147539 147540 901de0 20 API calls 147314->147540 147550 964870 15 API calls 147317->147550 147549 964870 15 API calls 147318->147549 147320 90e908 147326 90e9e5 147320->147326 147327 90e9bb 147320->147327 147322->147306 147330 90e39b 147322->147330 147543 901d90 15 API calls 147322->147543 147544 901de0 20 API calls 147322->147544 147325 90f036 147329 90f074 FreeLibrary 147325->147329 147364 90f097 147325->147364 147554 964870 15 API calls 147326->147554 147553 964870 15 API calls 147327->147553 147329->146966 147330->147312 147333 90e6ad 147330->147333 147547 901d90 15 API calls 147330->147547 147548 901de0 20 API calls 147330->147548 147333->147305 147333->147320 147551 901d90 15 API calls 147333->147551 147552 901de0 20 API calls 147333->147552 147334 90ec53 147336 90ed01 147334->147336 147337 90ed2b 147334->147337 147557 964870 15 API calls 147336->147557 147558 964870 15 API calls 147337->147558 147342 90f014 147561 964870 15 API calls 147342->147561 147343 90f03e 147562 964870 15 API calls 147343->147562 147344 90ef66 147344->147342 147344->147343 147345->147334 147352 90ed23 147345->147352 147555 901d90 15 API calls 147345->147555 147556 901de0 20 API calls 147345->147556 147350 90f2a5 147354 90f352 147350->147354 147355 90f37c 147350->147355 147351 90f698 std::runtime_error::runtime_error _strlen 147353 90f6f6 InternetOpenUrlA 147351->147353 147352->147325 147352->147344 147559 901d90 15 API calls 147352->147559 147560 901de0 20 API calls 147352->147560 147357 90f782 InternetReadFile 147353->147357 147358 90f734 FreeLibrary 147353->147358 147565 964870 15 API calls 147354->147565 147566 964870 15 API calls 147355->147566 147361 90f7b2 147357->147361 147362 90f7bb FreeLibrary 147357->147362 147370 90f75f 147358->147370 147361->147357 147361->147362 147367 914c60 std::ios_base::failure::failure 41 API calls 147361->147367 147376 90f82a std::ios_base::failure::failure 147362->147376 147363 90f5c9 147368 90f6a0 147363->147368 147369 90f676 147363->147369 147364->147350 147377 90f374 147364->147377 147563 901d90 15 API calls 147364->147563 147564 901de0 20 API calls 147364->147564 147367->147361 147570 964870 15 API calls 147368->147570 147569 964870 15 API calls 147369->147569 147571 904120 39 API calls task 147370->147571 147572 904120 39 API calls task 147376->147572 147377->147351 147377->147363 147567 901d90 15 API calls 147377->147567 147568 901de0 20 API calls 147377->147568 147379->146975 147380->146975 147381->146974 147382->146974 147383->146989 147384->146989 147385->146993 147386->146993 147387->146993 147388->146993 147389->146976 147390->146976 147391->147006 147392->147006 147393->147017 147394->147017 147395->147017 147396->147017 147397->147023 147398->147023 147399->147023 147400->147023 147401->147031 147402->147031 147403->147031 147404->147031 147405->147038 147406->147038 147407->147038 147408->147038 147409->147045 147410->147045 147411->147045 147412->147045 147413->147058 147414->147058 147415->147058 147416->147058 147417->147066 147418->147066 147419->147066 147420->147066 147421->147072 147422->147072 147423->147072 147424->147072 147425->147075 147426->147075 147427->147075 147428->147075 147429->147049 147430->147049 147431->147090 147432->147090 147433->147099 147434->147099 147435->147099 147436->147099 147437->147107 147438->147107 147439->147107 147440->147107 147441->147113 147442->147113 147443->147113 147444->147113 147445->147122 147446->147122 147447->147122 147448->147122 147449->147121 147450->147121 147451->147121 147452->147121 147453->147093 147454->147093 147455->147141 147456->147141 147457->147137 147458->147137 147459->147137 147460->147137 147461->147144 147462->147144 147463->147144 147464->147144 147465->147163 147466->147163 147467->147163 147468->147163 147469->147173 147470->147173 147471->147173 147472->147173 147473->147181 147474->147181 147475->147181 147476->147181 147477->147187 147478->147187 147479->147187 147480->147187 147481->147197 147482->147197 147483->147197 147484->147197 147485->147199 147486->147199 147487->147199 147488->147199 147489->147170 147490->147170 147491->147215 147492->147215 147493->147222 147494->147222 147495->147222 147496->147222 147497->147229 147498->147229 147499->147229 147500->147229 147501->147238 147502->147238 147503->147238 147504->147238 147505->147241 147506->147241 147507->147241 147508->147241 147509->147204 147510->147204 147511->147255 147512->147255 147513->147261 147514->147261 147515->147261 147516->147261 147517->147269 147518->147269 147519->147269 147520->147269 147521->147278 147522->147278 147523->147278 147524->147278 147525->147281 147526->147281 147527->147281 147528->147281 147529->147294 147530->147294 147531->147294 147532->147294 147533->147301 147534->147301 147535->147301 147536->147301 147537->147314 147538->147314 147539->147314 147540->147314 147541->147322 147542->147322 147543->147322 147544->147322 147545->147330 147546->147330 147547->147330 147548->147330 147549->147333 147550->147333 147551->147333 147552->147333 147553->147305 147554->147305 147555->147345 147556->147345 147557->147352 147558->147352 147559->147352 147560->147352 147561->147325 147562->147325 147563->147364 147564->147364 147565->147377 147566->147377 147567->147377 147568->147377 147569->147351 147570->147351 147571->146966 147572->146966 147573 95fe5f 147574 95fe68 147573->147574 147581 96013c IsProcessorFeaturePresent 147574->147581 147576 95fe74 147582 962f0e 10 API calls 2 library calls 147576->147582 147578 95fe79 147579 95fe7d 147578->147579 147583 962f2d 7 API calls 2 library calls 147578->147583 147581->147576 147582->147578 147583->147579

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00905B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: f057100b53cd656a995a248c660e830e0f630e08497a65442aedbcecb8822272
                                                                                                                                                                                                                            • Instruction ID: 46c0c98eec0b0a6fadc0695c71294f4446b788d84f1574cf460d609ff3ac28be
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f057100b53cd656a995a248c660e830e0f630e08497a65442aedbcecb8822272
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98143171D04A29CACB62DF64CC916AEB775FF46344F1086C9E40A7A281EB319AD1DF81
                                                                                                                                                                                                                            Function 03214BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2537 3214ba2-3214bb2 2538 3214e23-3214e26 2537->2538 2539 3214bb8-3214beb call 32146d4 2537->2539 2542 3214bf1-3214c00 call 32146d4 2539->2542 2543 3214e22 2539->2543 2542->2543 2546 3214c06-3214c5f KiUserCallbackDispatcher GetSystemMetrics call 3213576 * 4 GetDC 2542->2546 2543->2538 2555 3214e20-3214e21 2546->2555 2556 3214c65-3214c72 GetCurrentObject 2546->2556 2555->2543 2557 3214e17-3214e1a ReleaseDC 2556->2557 2558 3214c78-3214c89 GetObjectW 2556->2558 2557->2555 2558->2557 2559 3214c8f-3214d1e call 32135db DeleteObject CreateCompatibleDC 2558->2559 2559->2557 2562 3214d24-3214d3f CreateDIBSection 2559->2562 2563 3214e10-3214e11 DeleteDC 2562->2563 2564 3214d45-3214d4f SelectObject 2562->2564 2563->2557 2565 3214d55-3214d74 BitBlt 2564->2565 2566 3214e09-3214e0a DeleteObject 2564->2566 2565->2566 2567 3214d7a-3214d8c call 3213508 2565->2567 2566->2563 2567->2566 2570 3214d8e-3214df9 call 321354b * 3 call 3213d76 2567->2570 2578 3214dfe-3214e04 call 3213536 2570->2578 2578->2566
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 032146D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03214812), ref: 032146E6
                                                                                                                                                                                                                              • Part of subcall function 032146D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03214812), ref: 032146F3
                                                                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 03214C13
                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 03214C1A
                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 03214C55
                                                                                                                                                                                                                            • GetCurrentObject.GDI32(00000000,00000007), ref: 03214C68
                                                                                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 03214C81
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 03214CB3
                                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 03214D14
                                                                                                                                                                                                                            • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 03214D35
                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 03214D47
                                                                                                                                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,03212468,00000000,?,?,00CC0020), ref: 03214D6C
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                              • Part of subcall function 03213D76: EnterCriticalSection.KERNEL32(032184D4,00000000,00000000,00000000,?,?,?,?,?,03213EEB,00000000,00000000,00000000,00000000,00000000), ref: 03213D88
                                                                                                                                                                                                                              • Part of subcall function 03213536: GetProcessHeap.KERNEL32(00000000,00000000,0321518A), ref: 0321353D
                                                                                                                                                                                                                              • Part of subcall function 03213536: RtlFreeHeap.NTDLL(00000000), ref: 03213544
                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 03214E0A
                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 03214E11
                                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 03214E1A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                                                                                                                                                                                                            • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                                                                                                                                                                                                                            • API String ID: 1387450592-1028866296
                                                                                                                                                                                                                            • Opcode ID: 8ad23c109043ef0d333651a44c3ea28f152db184bcf2a298509650a8f7ee8bf6
                                                                                                                                                                                                                            • Instruction ID: 3d0f75c05e60c915f0e1e1d35283a0819fef6ea19e2b3bdb2fc40974b669415b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ad23c109043ef0d333651a44c3ea28f152db184bcf2a298509650a8f7ee8bf6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E71C375E10308ABDB20EFA5DD45FEEBBB5EF18710F148059E604BB280DB709A50CBA1
                                                                                                                                                                                                                            Function 03211000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2580 3211000-3211018 2581 3211412-3211418 2580->2581 2582 321101e-3211028 2580->2582 2582->2581 2583 321102e-3211037 call 321407d 2582->2583 2583->2581 2586 321103d-3211059 call 3213508 * 2 2583->2586 2591 3211404-321140d call 3213536 * 2 2586->2591 2592 321105f-3211061 2586->2592 2591->2581 2592->2591 2593 3211067-321116d call 3213600 FindFirstFileW 2592->2593 2599 3211173-3211192 call 321363b * 2 2593->2599 2600 32113d5-3211401 call 3213576 * 3 2593->2600 2609 3211198-32111b7 call 3213600 2599->2609 2610 32113ba 2599->2610 2600->2591 2616 3211769-3211770 2609->2616 2617 32111bd-32111cf call 321372b 2609->2617 2614 32113bd-32113cf FindNextFileW 2610->2614 2614->2599 2614->2600 2616->2610 2618 3211776-3211794 call 321363b call 3213b60 2616->2618 2617->2616 2623 32111d5-32111e7 call 321372b 2617->2623 2628 3211796-32117e3 call 3213508 call 3213600 call 3213eb6 2618->2628 2629 32117eb-32117f0 2618->2629 2623->2616 2630 32111ed-321120f call 321363b call 3213b60 2623->2630 2628->2629 2633 32117f6-32117fb 2629->2633 2634 321199b-32119d2 call 3213600 call 3213eb6 2629->2634 2648 3211215-321121b 2630->2648 2649 321171e-3211749 call 32140ba 2630->2649 2633->2634 2638 3211801-3211806 2633->2638 2650 32119d7-32119da 2634->2650 2638->2634 2642 321180c-3211811 2638->2642 2642->2634 2646 3211817-321181c 2642->2646 2646->2634 2651 3211822-3211827 2646->2651 2648->2649 2654 3211221-3211227 2648->2654 2660 321152d-3211534 call 3213536 2649->2660 2661 321174f-321175a call 321372b 2649->2661 2650->2614 2651->2634 2655 321182d-3211832 2651->2655 2654->2649 2658 321122d-3211233 2654->2658 2655->2634 2656 3211838-321183d 2655->2656 2656->2634 2659 3211843-3211848 2656->2659 2658->2649 2662 3211239-321123f 2658->2662 2659->2634 2663 321184e-3211853 2659->2663 2660->2610 2661->2660 2672 3211760-3211762 2661->2672 2662->2649 2666 3211245-321124b 2662->2666 2663->2634 2667 3211859-321185e 2663->2667 2666->2649 2670 3211251-3211257 2666->2670 2667->2610 2671 3211864-3211878 call 321446c 2667->2671 2670->2649 2673 321125d-3211263 2670->2673 2678 32114b4-32114be call 3213536 2671->2678 2679 321187e-3211883 2671->2679 2672->2616 2673->2649 2675 3211269-321126f 2673->2675 2675->2649 2677 3211275-321127b 2675->2677 2677->2649 2680 3211281-3211287 2677->2680 2678->2610 2679->2678 2683 3211889-32118a1 call 32136f1 2679->2683 2680->2649 2681 321128d-3211293 2680->2681 2681->2649 2684 3211299-321129f 2681->2684 2683->2678 2690 32118a7-32118bf call 32136f1 2683->2690 2684->2649 2687 32112a5-32112ab 2684->2687 2687->2649 2689 32112b1-32112b7 2687->2689 2689->2649 2691 32112bd-32112c3 2689->2691 2690->2678 2696 32118c5-32118db call 321369c 2690->2696 2691->2649 2693 32112c9-32112cf 2691->2693 2693->2649 2695 32112d5-32112db 2693->2695 2695->2649 2697 32112e1-32112e7 2695->2697 2696->2678 2701 32118e1-32118ed call 3213625 2696->2701 2697->2649 2700 32112ed-32112f3 2697->2700 2700->2649 2702 32112f9-32112ff 2700->2702 2707 32118f3-3211906 call 3211a62 2701->2707 2708 32114ad-32114af call 3213536 2701->2708 2702->2649 2704 3211305-321130b 2702->2704 2704->2649 2706 3211311-3211317 2704->2706 2706->2649 2709 321131d-3211323 2706->2709 2707->2708 2715 321190c-3211911 2707->2715 2708->2678 2709->2649 2712 3211329-321132f 2709->2712 2712->2649 2714 3211335-321133b 2712->2714 2714->2649 2716 3211341-3211347 2714->2716 2715->2708 2719 3211917-3211929 call 3211c94 2715->2719 2717 321134d-3211353 2716->2717 2718 321168c-32116c1 call 32140ba 2716->2718 2717->2718 2720 3211359-321135f 2717->2720 2718->2678 2730 32116c7-32116d2 call 321372b 2718->2730 2728 321192b-3211974 call 3211ba5 call 3213600 call 3213d76 2719->2728 2729 321198e-3211996 call 3213536 2719->2729 2720->2718 2723 3211365-321136b 2720->2723 2726 3211371-3211377 2723->2726 2727 3211662-3211687 EnterCriticalSection call 3214e27 LeaveCriticalSection 2723->2727 2726->2727 2731 321137d-3211383 2726->2731 2727->2610 2761 3211979-321198b call 3213536 * 2 2728->2761 2729->2708 2730->2678 2742 32116d8-3211719 call 3213efc 2730->2742 2736 3211419-321141f 2731->2736 2737 3211389-32113b4 call 3213efc 2731->2737 2744 32114c3-32114c9 2736->2744 2745 3211425-3211447 call 32140ba 2736->2745 2737->2610 2742->2678 2750 3211539-321153f 2744->2750 2751 32114cb-32114ed call 32140ba 2744->2751 2745->2678 2763 3211449-3211454 call 321372b 2745->2763 2755 3211541-3211563 call 32140ba 2750->2755 2756 3211576-321157c 2750->2756 2751->2660 2769 32114ef-32114fa call 321372b 2751->2769 2755->2660 2773 3211565-3211570 call 321372b 2755->2773 2759 3211582-3211588 2756->2759 2760 321165b 2756->2760 2759->2760 2765 321158e-3211594 2759->2765 2760->2727 2761->2729 2763->2678 2780 3211456-32114a7 call 3213508 call 3213600 call 3213eb6 2763->2780 2770 3211596-321159d 2765->2770 2771 32115a9-32115af 2765->2771 2769->2660 2782 32114fc 2769->2782 2770->2771 2777 32115b1-32115b7 2771->2777 2778 32115e3-321160b call 32140ba 2771->2778 2773->2660 2791 3211572-3211574 2773->2791 2777->2778 2784 32115b9-32115bf 2777->2784 2778->2660 2796 3211611-321161c call 321372b 2778->2796 2780->2708 2788 32114fe-3211527 call 3213efc 2782->2788 2784->2778 2789 32115c1-32115c7 2784->2789 2788->2660 2789->2778 2795 32115c9-32115cf 2789->2795 2791->2788 2795->2778 2800 32115d1-32115d8 call 3211000 2795->2800 2796->2660 2804 3211622-3211656 call 3213efc 2796->2804 2806 32115dd-32115de 2800->2806 2804->2660 2806->2610
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,?), ref: 032113C7
                                                                                                                                                                                                                              • Part of subcall function 0321407D: GetFileAttributesW.KERNELBASE(03215051,0321447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03213ECC), ref: 0321407E
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,00A1C5B0,?), ref: 03211161
                                                                                                                                                                                                                              • Part of subcall function 03213EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 03213F5D
                                                                                                                                                                                                                              • Part of subcall function 03213EFC: FindNextFileW.KERNEL32(03211710,?), ref: 03213FFE
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4), ref: 03211668
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(032184D4), ref: 03211681
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                                                                                                                                                                                                            • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
                                                                                                                                                                                                                            • API String ID: 1893179121-1537637304
                                                                                                                                                                                                                            • Opcode ID: 626fea3b2f39038c4a1a6f18569603d4cf253a7c89e4e1414858761e41d5ef24
                                                                                                                                                                                                                            • Instruction ID: 2e44a1004a2c2061e45f618009977874df56502df0bf416aa1c32b894400629f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 626fea3b2f39038c4a1a6f18569603d4cf253a7c89e4e1414858761e41d5ef24
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04324626E3032556DB24EB689A80BFDB3F5AF70710F18405AD605AB294EF709DF1C791
                                                                                                                                                                                                                            Function 03212054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2857 3212054-32120a5 call 3213508 2860 3212103-3212115 GetCurrentHwProfileA 2857->2860 2861 32120a7-32120c6 2857->2861 2864 3212117-321212a call 32135db 2860->2864 2865 321212d-321219e GetSystemInfo call 32135db call 3213536 GlobalMemoryStatusEx call 32135db 2860->2865 2862 32120c8-32120cc 2861->2862 2863 32120ce-32120d4 2861->2863 2866 32120ee-32120f9 call 321354b 2862->2866 2867 32120d6-32120dd 2863->2867 2868 32120df-32120e5 2863->2868 2864->2865 2881 32121db-32121ec EnumDisplayDevicesA 2865->2881 2872 32120fc-3212101 2866->2872 2867->2866 2871 32120e7-32120eb 2868->2871 2868->2872 2871->2866 2872->2860 2872->2861 2882 32121a0-32121a9 2881->2882 2883 32121ee-32121f4 2881->2883 2884 32121ab-32121c7 call 32135db 2882->2884 2885 32121ca-32121da 2882->2885 2884->2885 2885->2881
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 0321210B
                                                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 03212132
                                                                                                                                                                                                                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 03212166
                                                                                                                                                                                                                            • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 032121E8
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                                                                                                                                                                                                                            • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                                                                                                                                                                                                                            • API String ID: 330852582-565344305
                                                                                                                                                                                                                            • Opcode ID: c07066b03d8958fc0fb86b48f59764aa61fbf6f0a4998f3a51db3f3f587364b8
                                                                                                                                                                                                                            • Instruction ID: 14e065d5bb9f9e8dc47b9da3c50f13450fbfa42f995e7f74eab6d9d027359df4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c07066b03d8958fc0fb86b48f59764aa61fbf6f0a4998f3a51db3f3f587364b8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A141F4716143059FD321DF18C984BABB7E9EBE8710F04492DF9898B241E771D9A4CBA2
                                                                                                                                                                                                                            Function 03214E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2888 3214e27-3214e47 2889 3214e49-3214e8c call 3213600 call 321407d 2888->2889 2890 3214e98-3214ed9 call 3213508 * 2 call 3213600 FindFirstFileW 2888->2890 2900 3214e92 2889->2900 2901 3215198-321519e 2889->2901 2903 3215183-3215192 call 3213536 * 2 2890->2903 2904 3214edf-3214ef9 call 3213600 2890->2904 2900->2890 2903->2901 2910 3214fb1-3214fc7 call 321363b 2904->2910 2911 3214eff-3214f06 2904->2911 2913 321516b-321517d FindNextFileW 2910->2913 2919 3214fcd-32150ab call 3213600 call 3213eb6 call 321363b call 3213600 call 321407d 2910->2919 2911->2913 2914 3214f0c-3214f1e call 321372b 2911->2914 2913->2903 2913->2904 2914->2913 2920 3214f24-3214f36 call 321372b 2914->2920 2919->2913 2943 32150b1-3215165 call 321363b call 3213600 call 3213eb6 2919->2943 2920->2913 2927 3214f3c-3214f5b call 321363b call 3213b60 2920->2927 2936 3214f84-3214fac EnterCriticalSection call 3214e27 LeaveCriticalSection 2927->2936 2937 3214f5d-3214f62 2927->2937 2936->2913 2937->2936 2939 3214f64-3214f6b 2937->2939 2939->2913 2942 3214f71-3214f79 call 3214e27 2939->2942 2947 3214f7e-3214f7f 2942->2947 2949 321516a 2943->2949 2947->2949 2949->2913
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000), ref: 03214ECD
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4), ref: 03214F89
                                                                                                                                                                                                                              • Part of subcall function 03214E27: LeaveCriticalSection.KERNEL32(032184D4), ref: 03214FA6
                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,?), ref: 03215175
                                                                                                                                                                                                                              • Part of subcall function 0321407D: GetFileAttributesW.KERNELBASE(03215051,0321447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03213ECC), ref: 0321407E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                                                                                                                                                                                                            • String ID: %s\%s$%s\*$Telegram
                                                                                                                                                                                                                            • API String ID: 648860119-4994844
                                                                                                                                                                                                                            • Opcode ID: 08372c6ffabd48cae4a333775a4ba927d85fdad86b52b5aa4fc4aa025dfbf771
                                                                                                                                                                                                                            • Instruction ID: 501d49b90bc669ca4241be46a747823e68ca6ae8f1973dd3d0cdff941e233eef
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08372c6ffabd48cae4a333775a4ba927d85fdad86b52b5aa4fc4aa025dfbf771
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14A1CD29E24348A9EF10EBA0ED45BFE73B5EF64710F10505AE508EB2E0F7B10AD58759
                                                                                                                                                                                                                            Function 03211D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5796 3211d3c-3211d4e 5797 3211f25-3211f2a 5796->5797 5798 3211d54-3211d5e 5796->5798 5798->5797 5799 3211d64-3211d8e call 3213600 FindFirstFileW 5798->5799 5799->5797 5802 3211d94-3211dd8 call 3213508 call 321363b 5799->5802 5807 3211ddd-3211e02 call 321363b * 2 5802->5807 5812 3211f01-3211f0f FindNextFileW 5807->5812 5813 3211e08-3211e21 call 3213600 5807->5813 5815 3211f11-3211f17 5812->5815 5816 3211f1c-3211f20 call 3213536 5812->5816 5819 3211e23-3211e33 call 321372b 5813->5819 5820 3211e54-3211e59 5813->5820 5815->5807 5816->5797 5819->5820 5826 3211e35-3211e45 call 321372b 5819->5826 5822 3211ef2-3211efd 5820->5822 5823 3211e5f-3211e69 5820->5823 5822->5812 5823->5822 5825 3211e6f-3211e7c call 321408d 5823->5825 5830 3211eeb-3211eed call 3213536 5825->5830 5831 3211e7e-3211e95 call 321363b call 3213b60 5825->5831 5826->5820 5834 3211e47-3211e4a call 3211d3c 5826->5834 5830->5822 5841 3211e97-3211e9c 5831->5841 5842 3211eac-3211edc call 3213600 call 3213eb6 5831->5842 5839 3211e4f 5834->5839 5839->5822 5841->5842 5843 3211e9e-3211ea3 5841->5843 5848 3211ee1-3211ee4 5842->5848 5843->5842 5845 3211ea5-3211eaa 5843->5845 5845->5830 5845->5842 5848->5830
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?), ref: 03211D83
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,?), ref: 03211F07
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                                                                                                                                                                                                            • String ID: %s%s$%s\%s$%s\*
                                                                                                                                                                                                                            • API String ID: 3555643018-2064654797
                                                                                                                                                                                                                            • Opcode ID: fafecd42301f5d9054606d2633454cd08c26a0870261525dd1f428515734947f
                                                                                                                                                                                                                            • Instruction ID: 85024284950d78c2bbc8b67eaf9a290287ffc642bc879dc6a517f678c37ff662
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fafecd42301f5d9054606d2633454cd08c26a0870261525dd1f428515734947f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F4117792383424BC724EF64EB84A2E73E5AFB4700F04481DEA55C7291EF71D9B5878A
                                                                                                                                                                                                                            Function 03211C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5896 3211c94-3211ccf call 32146d4 5899 3211cd1-3211cf8 call 3213576 CryptUnprotectData 5896->5899 5900 3211d2f-3211d3b 5896->5900 5903 3211d05-3211d0a 5899->5903 5904 3211cfa-3211d03 5899->5904 5903->5900 5905 3211d0c-3211d29 CryptProtectData 5903->5905 5904->5900 5905->5900
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 032146D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03214812), ref: 032146E6
                                                                                                                                                                                                                              • Part of subcall function 032146D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03214812), ref: 032146F3
                                                                                                                                                                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 03211CF3
                                                                                                                                                                                                                            • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 03211D29
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                                                                                                                                                                                                            • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                                                                                                                                                                                                            • API String ID: 3642467563-1885057629
                                                                                                                                                                                                                            • Opcode ID: 8c24164c1bcbcd34191a59cdfa12d57e86ed299a83e390a28aeea1c80b01d6bc
                                                                                                                                                                                                                            • Instruction ID: 4b1afbd9d962895add8e7cb8ea7bd4c85afb62eecf6bd318833fd3d07e04839a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c24164c1bcbcd34191a59cdfa12d57e86ed299a83e390a28aeea1c80b01d6bc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33115EB5D0020DABCF10DF95C980CEEBBFDEB58250F5445AAE945B3240E770AE55CBA0
                                                                                                                                                                                                                            Function 032121F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 32121f5-3212212 InitializeCriticalSectionAndSpinCount 1 3212214 0->1 2 3212219-321222f CreateMutexA 0->2 3 3212680 1->3 4 3212235-3212240 GetLastError 2->4 5 3212678-321267a ExitProcess 2->5 4->5 6 3212246-3212255 call 3213bd2 4->6 9 321225b-3212285 call 3213576 call 32147e6 6->9 10 321264f-321266f DeleteCriticalSection 6->10 15 3212647-321264a call 3213536 9->15 16 321228b-32122d0 call 32135db call 321484b 9->16 10->5 15->10 16->15 22 32122d6-321230a call 3213508 * 3 16->22 29 3212310-3212317 22->29 30 32125df-321262e call 3213d76 call 3213536 * 4 call 3213bfb 22->30 29->30 31 321231d-3212324 29->31 60 3212631-3212637 call 321536d 30->60 31->30 33 321232a-3212366 call 32146d4 31->33 33->30 39 321236c-3212381 call 3211f2d 33->39 45 32123c1-32123db 39->45 46 3212383-32123ba call 32146d4 39->46 55 32123e5-3212410 call 321363b 45->55 56 32123dd-32123df ExitProcess 45->56 46->45 54 32123bc 46->54 54->3 64 3212412-3212414 ExitProcess 55->64 65 321241a-3212445 call 321363b 55->65 63 321263c-3212643 60->63 63->15 66 3212645 63->66 70 3212447-3212449 ExitProcess 65->70 71 321244f-32124bd call 321363b call 3214ba2 CreateThread * 2 WaitForMultipleObjects call 32119df call 3212054 65->71 66->60 80 32124c7-32124ce 71->80 81 3212501-321251d ObtainUserAgentString 80->81 82 32124d0-32124d9 80->82 85 3212535-32125a0 call 3215239 * 6 call 3213508 81->85 86 321251f-3212532 call 32135db 81->86 83 32124db-32124f5 82->83 84 32124ff 82->84 83->84 84->80 104 32125b2-32125da call 321363b call 3215239 * 2 call 3213536 85->104 105 32125a2-32125ac GetModuleFileNameW 85->105 86->85 104->30 105->104
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(032184D4,00000DA3), ref: 0321220A
                                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 03212222
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 03212235
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                                                                                                                                                                                                            • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
                                                                                                                                                                                                                            • API String ID: 2005177960-3436640841
                                                                                                                                                                                                                            • Opcode ID: 3b68b26ffb024c2df5f40b4854ab409214515cc62f6c4c9ed50a7cbcc136bbe0
                                                                                                                                                                                                                            • Instruction ID: 6abc0e8e85dbbc8aca14899fe351c8e198f5278935e6b4846dfb7ce8eccfce17
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b68b26ffb024c2df5f40b4854ab409214515cc62f6c4c9ed50a7cbcc136bbe0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32C10634924348EEE711EBA4EB89BED7BF6AB74700F144055E201AA1C5DFB14AA5CB21
                                                                                                                                                                                                                            Function 0321446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0321407D: GetFileAttributesW.KERNELBASE(03215051,0321447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03213ECC), ref: 0321407E
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4), ref: 032144F5
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(032184D4), ref: 03214541
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4), ref: 032145C4
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(032184D4), ref: 032145FD
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4), ref: 0321463A
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(032184D4), ref: 0321467D
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4), ref: 03214696
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(032184D4), ref: 032146BF
                                                                                                                                                                                                                              • Part of subcall function 032142EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,03214574), ref: 03214305
                                                                                                                                                                                                                              • Part of subcall function 032142EC: GetProcAddress.KERNEL32(00000000), ref: 0321430E
                                                                                                                                                                                                                              • Part of subcall function 032142EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03214574), ref: 0321431F
                                                                                                                                                                                                                              • Part of subcall function 032142EC: GetProcAddress.KERNEL32(00000000), ref: 03214322
                                                                                                                                                                                                                              • Part of subcall function 032142EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03214574), ref: 032143A4
                                                                                                                                                                                                                              • Part of subcall function 032142EC: GetCurrentProcess.KERNEL32(03214574,00000000,00000000,00000002,?,?,?,?,03214574), ref: 032143C0
                                                                                                                                                                                                                              • Part of subcall function 032142EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03214574), ref: 032143CF
                                                                                                                                                                                                                              • Part of subcall function 032142EC: CloseHandle.KERNEL32(03214574,?,?,?,?,03214574), ref: 032143FF
                                                                                                                                                                                                                              • Part of subcall function 03213536: GetProcessHeap.KERNEL32(00000000,00000000,0321518A), ref: 0321353D
                                                                                                                                                                                                                              • Part of subcall function 03213536: RtlFreeHeap.NTDLL(00000000), ref: 03213544
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                                                                                                                                                                                                                            • String ID: @$\??\%s$\Network\Cookies
                                                                                                                                                                                                                            • API String ID: 330363434-2791195959
                                                                                                                                                                                                                            • Opcode ID: 30ae8f8d9b43fbca3d543359081ff481557be6b1ab771dded3af421b9187643a
                                                                                                                                                                                                                            • Instruction ID: 515750616be420ebbb205f1adeb260a36151ca6df6f8c3addff46f338925f5ee
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30ae8f8d9b43fbca3d543359081ff481557be6b1ab771dded3af421b9187643a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F71A139960308AFEB14EF90DA89BED7BF5FB64704F108115F605AA1D4EFB19A91CB10
                                                                                                                                                                                                                            Function 0321536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 2953 321536d-32153f6 call 32146d4 2956 32153f8-32153fa 2953->2956 2957 32153ff-3215457 2953->2957 2958 321553e-3215541 2956->2958 2960 321553b 2957->2960 2961 321545d-321548b call 3215361 socket 2957->2961 2960->2958 2964 3215531-3215534 2961->2964 2965 3215491-32154a8 call 32152cf call 3213576 2961->2965 2964->2960 2970 32154a9-32154af 2965->2970 2971 32154b1-32154c6 connect 2970->2971 2972 3215524-321552a 2970->2972 2973 3215517-3215522 Sleep 2971->2973 2974 32154c8-32154e8 send 2971->2974 2972->2964 2973->2970 2974->2973 2975 32154ea-3215504 send 2974->2975 2975->2973 2976 3215506-3215515 call 3213536 2975->2976 2976->2972
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 032146D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03214812), ref: 032146E6
                                                                                                                                                                                                                              • Part of subcall function 032146D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03214812), ref: 032146F3
                                                                                                                                                                                                                            • socket.WS2_32(?,00000001,00000000), ref: 03215480
                                                                                                                                                                                                                            • connect.WS2_32(000000FF,?,00000010), ref: 032154BF
                                                                                                                                                                                                                            • send.WS2_32(000000FF,00000000,00000000), ref: 032154E1
                                                                                                                                                                                                                            • send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 032154FD
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: send$HandleLibraryLoadModuleconnectsocket
                                                                                                                                                                                                                            • String ID: 146.70.169.164$ws2_32.dll
                                                                                                                                                                                                                            • API String ID: 2781119014-4085977579
                                                                                                                                                                                                                            • Opcode ID: 475b7d6a7702a9547f1bee6a2727974109db31a50ec22f3bdd708020b95c661a
                                                                                                                                                                                                                            • Instruction ID: 057aa4c84fc001e218380e59f89540ec5337942727c1bde828ad0fc118601d2a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 475b7d6a7702a9547f1bee6a2727974109db31a50ec22f3bdd708020b95c661a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB51C630C14289EEEB11CBE8D9097EDBFB99F26314F148089E660AE1C5C7B54796CB61
                                                                                                                                                                                                                            Function 0090F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: e3591120d1e4e0ced3c9c74024c3097f1723f6d86f0b03356ae7ba524779cc5c
                                                                                                                                                                                                                            • Instruction ID: ff6a4daa2f8d0793220f0b8c4420ea3659f41b81a0e88d91c08e516b369d058f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3591120d1e4e0ced3c9c74024c3097f1723f6d86f0b03356ae7ba524779cc5c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2632271D04A1CCACB26DF64C9916EEF775FF96344F1086CAE40A3A241EB31AAD19F41
                                                                                                                                                                                                                            Function 00913FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 3853 913fe0-914015 3855 9142a1-9142b9 3853->3855 3856 91401b-914022 3853->3856 3861 914554-91456c 3855->3861 3862 9142bf-9142c9 3855->3862 3857 91402d-914033 3856->3857 3859 9140e4-9140eb 3857->3859 3860 914039-914050 3857->3860 3865 9140f6-9140fc 3859->3865 3863 91405b-914061 3860->3863 3873 914572-914579 3861->3873 3874 9147f8-914810 3861->3874 3864 9142da-9142e3 3862->3864 3869 914063-9140cb call 901dc0 call 901cc0 3863->3869 3870 9140cd-9140df 3863->3870 3867 914397-91439e 3864->3867 3868 9142e9-914300 3864->3868 3871 9141c0-9141c7 3865->3871 3872 914102-914109 3865->3872 3878 9143a9-9143af 3867->3878 3877 91430b-914311 3868->3877 3869->3863 3870->3857 3875 9141d2-9141d8 3871->3875 3880 914114-91411a 3872->3880 3882 914584-91458a 3873->3882 3883 914a36-914a3d 3874->3883 3884 914816-91481d 3874->3884 3885 914236-91423f 3875->3885 3886 9141da-9141e1 3875->3886 3887 914380-914392 3877->3887 3888 914313-91437e call 901dc0 call 901cc0 3877->3888 3890 914473-91447a 3878->3890 3891 9143b5-9143bc 3878->3891 3892 914120-9141b6 call 901d90 call 901de0 call 901d10 3880->3892 3893 9141bb 3880->3893 3894 914590-9145a7 3882->3894 3895 91463b-914642 3882->3895 3897 914a43-914ba4 call 904c60 call 9045b0 call 904a60 call 904550 GetModuleHandleA GetProcAddress call 904e20 call 904670 call 904ff0 call 904670 call 9051b0 call 904670 call 905370 call 904690 call 905530 call 904690 call 905610 call 9046b0 call 9056f0 call 9046b0 call 960910 VirtualProtect * 2 call 960910 VirtualProtect 3883->3897 3898 914bae-914bb1 3883->3898 3896 914828-91482e 3884->3896 3905 914241-914245 3885->3905 3906 914246-914248 3885->3906 3901 9141ec-9141f2 3886->3901 3887->3864 3888->3877 3908 914485-91448b 3890->3908 3904 9143c7-9143cd 3891->3904 3892->3880 3893->3865 3907 9145b2-9145b8 3894->3907 3909 91464d-914653 3895->3909 3911 914834-91484b 3896->3911 3912 9148df-9148e6 3896->3912 3897->3898 3914 914234 3901->3914 3915 9141f4-914232 call 901e00 3901->3915 3918 9143d3-914469 call 901d90 call 901de0 call 901d10 3904->3918 3919 91446e 3904->3919 3905->3906 3920 914274-914299 call 964870 3906->3920 3921 91424a-914272 call 964870 3906->3921 3922 914624-914636 3907->3922 3923 9145ba-914622 call 901dc0 call 901cc0 3907->3923 3924 9144e9-9144f2 3908->3924 3925 91448d-914494 3908->3925 3926 914717-91471e 3909->3926 3927 914659-914660 3909->3927 3929 914856-91485c 3911->3929 3932 9148f1-9148f7 3912->3932 3914->3875 3915->3901 3918->3904 3919->3878 3981 91429c 3920->3981 3921->3981 3922->3882 3923->3907 3946 9144f4-9144f8 3924->3946 3947 9144f9-9144fb 3924->3947 3943 91449f-9144a5 3925->3943 3931 914729-91472f 3926->3931 3944 91466b-914671 3927->3944 3950 9148c8-9148da 3929->3950 3951 91485e-9148c6 call 901dc0 call 901cc0 3929->3951 3953 914731-914738 3931->3953 3954 91478d-914796 3931->3954 3955 9149bb-9149c2 3932->3955 3956 9148fd-914904 3932->3956 3963 9144e7 3943->3963 3964 9144a7-9144e5 call 901e00 3943->3964 3965 914712 3944->3965 3966 914677-91470d call 901d90 call 901de0 call 901d10 3944->3966 3946->3947 3948 914527-91454c call 964870 3947->3948 3949 9144fd-914525 call 964870 3947->3949 4006 91454f 3948->4006 3949->4006 3950->3896 3951->3929 3974 914743-914749 3953->3974 3979 914798-91479c 3954->3979 3980 91479d-91479f 3954->3980 3983 9149cd-9149d3 3955->3983 3975 91490f-914915 3956->3975 3963->3908 3964->3943 3965->3909 3966->3944 3993 91478b 3974->3993 3994 91474b-914789 call 901e00 3974->3994 3995 9149b6 3975->3995 3996 91491b-9149b1 call 901d90 call 901de0 call 901d10 3975->3996 3979->3980 3998 9147a1-9147c9 call 964870 3980->3998 3999 9147cb-9147f0 call 964870 3980->3999 3981->3855 4001 914a31 3983->4001 4002 9149d5-9149dc 3983->4002 3993->3931 3994->3974 3995->3932 3996->3975 4036 9147f3 3998->4036 3999->4036 4001->3883 4017 9149e7-9149ed 4002->4017 4006->3861 4028 914a2f 4017->4028 4029 9149ef-914a2d call 901e00 4017->4029 4028->3983 4029->4017 4036->3874
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: 845c4034bfb48a67bb518fe5c6dc7d443a864e2e267c9d78dee1f1c8309dcaa1
                                                                                                                                                                                                                            • Instruction ID: 6ec5a09eceb857f04c12c9bb502c7444fd13afea8e31846f2158a9d771ec2ec7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 845c4034bfb48a67bb518fe5c6dc7d443a864e2e267c9d78dee1f1c8309dcaa1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89724671D04A1CCACB11DFA4D8916EEF775FF5A344F108689E41A3A281EB319AD1DF41
                                                                                                                                                                                                                            Function 009159F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: 19c17398ebd5e4d8139d4a2a684e498d50584797797e1c0e68a391be54a0b040
                                                                                                                                                                                                                            • Instruction ID: d6ab989e07f1d504455ab4c3fbe7778c7a5e78a651e0af7333bf92f63a11ca20
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19c17398ebd5e4d8139d4a2a684e498d50584797797e1c0e68a391be54a0b040
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6D31471D04A2CCACB26DF64C9916EEF775EF56344F1086CAE40A3A241EB31AAD1DF41
                                                                                                                                                                                                                            Function 0321484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5731 321484b-321485a 5732 3214b90 5731->5732 5733 3214860-3214879 VirtualAlloc 5731->5733 5734 3214b96-3214b99 5732->5734 5733->5732 5735 321487f-32148a3 call 32146d4 5733->5735 5736 3214b9c-3214ba1 5734->5736 5739 32148a9-32148be call 321354b 5735->5739 5740 3214b8c-3214b8e 5735->5740 5743 32148c0-32148c7 5739->5743 5740->5736 5744 32148d2-32148d5 5743->5744 5745 32148c9-32148ce 5743->5745 5746 32148d9-3214900 GetCurrentProcess IsWow64Process call 3215239 5744->5746 5745->5743 5747 32148d0 5745->5747 5750 3214990-3214993 5746->5750 5751 3214906-321490b 5746->5751 5747->5746 5752 32149e0-32149e3 5750->5752 5753 3214995-3214998 5750->5753 5754 321490d-321491d 5751->5754 5755 321492c-3214931 5751->5755 5759 32149e9-32149ee 5752->5759 5760 3214a8e-3214a94 5752->5760 5756 32149b8-32149bc 5753->5756 5757 321499a-32149b6 5753->5757 5758 321491f-3214927 5754->5758 5761 3214971-3214974 5755->5761 5762 3214933-3214938 5755->5762 5756->5732 5766 32149c2-32149de 5756->5766 5765 3214a32-3214a3f 5757->5765 5758->5765 5767 3214a10-3214a12 5759->5767 5768 32149f0-3214a0e 5759->5768 5763 3214a9a-3214aa0 5760->5763 5764 3214b2f-3214b32 5760->5764 5770 3214976-3214979 5761->5770 5771 321497f-321498e 5761->5771 5762->5754 5769 321493a-321493c 5762->5769 5772 3214ac0-3214ac6 5763->5772 5773 3214aa2-3214abb 5763->5773 5764->5732 5774 3214b34-3214b55 5764->5774 5765->5734 5766->5765 5775 3214a44-3214a47 5767->5775 5776 3214a14-3214a2d 5767->5776 5768->5765 5769->5754 5777 321493e-3214941 5769->5777 5770->5732 5770->5771 5771->5758 5778 3214ae6-3214aec 5772->5778 5779 3214ac8-3214ae1 5772->5779 5773->5734 5780 3214b77 5774->5780 5781 3214b57-3214b5d 5774->5781 5784 3214a67-3214a6a 5775->5784 5785 3214a49-3214a62 5775->5785 5776->5765 5782 3214943-3214955 5777->5782 5783 3214957-321495a 5777->5783 5786 3214b0c-3214b12 5778->5786 5787 3214aee-3214b07 5778->5787 5779->5734 5791 3214b7c-3214b83 5780->5791 5781->5780 5788 3214b5f-3214b65 5781->5788 5782->5758 5783->5732 5789 3214960-321496f 5783->5789 5784->5732 5790 3214a70-3214a89 5784->5790 5785->5734 5786->5774 5792 3214b14-3214b2d 5786->5792 5787->5734 5788->5780 5793 3214b67-3214b6d 5788->5793 5789->5758 5790->5734 5791->5734 5792->5734 5793->5780 5794 3214b6f-3214b75 5793->5794 5794->5780 5795 3214b85-3214b8a 5794->5795 5795->5791
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,032122C4), ref: 0321486C
                                                                                                                                                                                                                              • Part of subcall function 032146D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03214812), ref: 032146E6
                                                                                                                                                                                                                              • Part of subcall function 032146D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03214812), ref: 032146F3
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(032122C4), ref: 032148E0
                                                                                                                                                                                                                            • IsWow64Process.KERNEL32(00000000), ref: 032148E7
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                                                                                                                                                                                                            • String ID: l$ntdl
                                                                                                                                                                                                                            • API String ID: 1207166019-924918826
                                                                                                                                                                                                                            • Opcode ID: 632bfda5a1f086cb2cffd38c7af158ce110606bf117daa811e3eacda94fde4d1
                                                                                                                                                                                                                            • Instruction ID: 3e6f9b9a17393c35f690abc5d8e18816ffa90f2089354fa9c7e36f453e8997c7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 632bfda5a1f086cb2cffd38c7af158ce110606bf117daa811e3eacda94fde4d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0881AE70A243099AEB24FE15FB99B7A33F8FB20710F14445AE20D9B2C4DFB486D08715
                                                                                                                                                                                                                            Function 0095FCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5849 95fca5-95fcbd call 967e88 5852 95fcd0-95fd06 call 967e5d call 95ffb3 call 960489 5849->5852 5853 95fcbf-95fccb 5849->5853 5862 95fd23-95fd2c call 96048f 5852->5862 5863 95fd08-95fd11 call 95ff1f 5852->5863 5854 95fdb9-95fdc8 5853->5854 5869 95fd41-95fd56 call 9605aa call 967e0a call 91cf50 5862->5869 5870 95fd2e-95fd37 call 95ff1f 5862->5870 5863->5862 5868 95fd13-95fd21 5863->5868 5868->5862 5882 95fd5b-95fd64 call 9605e0 5869->5882 5870->5869 5877 95fd39-95fd40 call 968191 5870->5877 5877->5869 5885 95fd66-95fd68 5882->5885 5886 95fdd0-95fdde call 9681b7 call 96817b 5882->5886 5888 95fd6f-95fd82 call 95ffd0 5885->5888 5889 95fd6a call 96816c 5885->5889 5888->5854 5889->5888
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ___scrt_release_startup_lock.LIBCMT ref: 0095FCF5
                                                                                                                                                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0095FD09
                                                                                                                                                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0095FD2F
                                                                                                                                                                                                                            • ___scrt_uninitialize_crt.LIBCMT ref: 0095FD72
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                                                                                                                                                                                                                            • String ID: VPWh
                                                                                                                                                                                                                            • API String ID: 3089971210-353207083
                                                                                                                                                                                                                            • Opcode ID: f1167521b36cc51d7a295bc849b8c21e58978a91d08194400db2d024b1c0b3de
                                                                                                                                                                                                                            • Instruction ID: 650149deedb5f3cc10bf364c09263b97d77a65cd88b1ecb7b5058ae5f3de20b9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1167521b36cc51d7a295bc849b8c21e58978a91d08194400db2d024b1c0b3de
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 582131321482116ACB21BB76A817B9E67B4DFC2376F20053AFC856B2E2DF224C458790
                                                                                                                                                                                                                            Function 00913052 Relevance: 6.0, APIs: 4, Instructions: 32librarysynchronizationthreadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5906 913052-913068 5908 91306a-9130ca LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 5906->5908 5909 9130ce-9130d1 5906->5909 5908->5909
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 0091307F
                                                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 009130A2
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009130B7
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 009130C4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$CreateFreeLoadObjectSingleThreadWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2432312608-0
                                                                                                                                                                                                                            • Opcode ID: 973438fbdc28d2a7b7eecdbf7b9ecfd3ecc76f11000f25e7d3dad0baf3ad3def
                                                                                                                                                                                                                            • Instruction ID: ba2da28ea20b209f1bdf268d1d8a69feea6fc7b53a692f5fae20a79c9e576b96
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 973438fbdc28d2a7b7eecdbf7b9ecfd3ecc76f11000f25e7d3dad0baf3ad3def
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B011971A9431C9BDB248F64DC8CBAA7774FB14315F1046C8EA2D5A2A1CAB16EC0DF50
                                                                                                                                                                                                                            Function 03213508 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1367039788-0
                                                                                                                                                                                                                            • Opcode ID: c8faab39eec2e07f58f291ea6f9f95112dba74ff58b8e87dd2013864408cde6d
                                                                                                                                                                                                                            • Instruction ID: cf30699b6e7a22984f0711c8f2cd852598a7ea0a7b893f3c54e767bc44ddc97f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8faab39eec2e07f58f291ea6f9f95112dba74ff58b8e87dd2013864408cde6d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0D09E32A0022067CB5076EDBA4C99BAA6CEFF5561B05416AF205C3154DEA4884587A0
                                                                                                                                                                                                                            Function 032146D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 5911 32146d4-32146f0 GetModuleHandleA 5912 32146f2-32146fd LoadLibraryA 5911->5912 5913 3214706-321470e 5911->5913 5912->5913 5914 32146ff-3214701 5912->5914 5915 3214714-321471f 5913->5915 5916 32147dd 5913->5916 5917 32147e0-32147e5 5914->5917 5915->5916 5918 3214725-321472e 5915->5918 5916->5917 5918->5916 5919 3214734-3214739 5918->5919 5919->5916 5920 321473f-3214743 5919->5920 5920->5916 5921 3214749-321476e 5920->5921 5922 3214770-321477b 5921->5922 5923 32147dc 5921->5923 5924 321477d-3214787 5922->5924 5923->5916 5925 3214789-32147a3 call 3213625 call 3213b60 5924->5925 5926 32147cc-32147da 5924->5926 5931 32147b1-32147c9 5925->5931 5932 32147a5-32147ad 5925->5932 5926->5922 5926->5923 5931->5926 5932->5924 5933 32147af 5932->5933 5933->5926
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03214812), ref: 032146E6
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03214812), ref: 032146F3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleLibraryLoadModule
                                                                                                                                                                                                                            • String ID: ntdl
                                                                                                                                                                                                                            • API String ID: 4133054770-3973061744
                                                                                                                                                                                                                            • Opcode ID: 75896d8ed7a027118d1e803bbfb20c5b37a444ac87a7744150ebb21a60a704b9
                                                                                                                                                                                                                            • Instruction ID: 464f0710feeeda3573d7356fba05c06400d8608d1f5cdd4f177e95d3c4846350
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75896d8ed7a027118d1e803bbfb20c5b37a444ac87a7744150ebb21a60a704b9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B831C03AE1021A9BCB24DF99C590ABDF7F5BF56304F080299C41597381C735A9A2CBA0
                                                                                                                                                                                                                            Function 0095C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 0095C9E8
                                                                                                                                                                                                                            • task.LIBCPMTD ref: 0095C9F6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 0095C92A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Concurrency::task_continuation_context::task_continuation_contexttask
                                                                                                                                                                                                                            • String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
                                                                                                                                                                                                                            • API String ID: 605201214-2946796713
                                                                                                                                                                                                                            • Opcode ID: 3dee4d77f466098574f4444984805cd6b0dc92ef40b2f797cd8e0d85c4a67155
                                                                                                                                                                                                                            • Instruction ID: 4c5c1bc7a2d103c45d79bd59a8ec2f2c1dd7ffc5558536296a20460e61660749
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3dee4d77f466098574f4444984805cd6b0dc92ef40b2f797cd8e0d85c4a67155
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 623108B1D042199FCB04DF99C951BEEBBB5FF88305F208519E815B7381DB746A04CBA0
                                                                                                                                                                                                                            Function 0096EDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __freea.LIBCMT ref: 0096EF97
                                                                                                                                                                                                                              • Part of subcall function 0096AC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0095FB1F,00000000,?,0091322C,00000000,?,009013A5,00000000), ref: 0096AC47
                                                                                                                                                                                                                            • __freea.LIBCMT ref: 0096EFAA
                                                                                                                                                                                                                            • __freea.LIBCMT ref: 0096EFB7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __freea$AllocateHeap
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2243444508-0
                                                                                                                                                                                                                            • Opcode ID: 9f89bb4d4e4cc72fe769650b4ed3979a4c568e290e6e4fb33d691e41c0aa8052
                                                                                                                                                                                                                            • Instruction ID: 133920a93277ff2dacb4e6f684a04b9598aa5a3949ae4aacfa7027bc08677e91
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f89bb4d4e4cc72fe769650b4ed3979a4c568e290e6e4fb33d691e41c0aa8052
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D851C37A60020AAFEF219F65DC85EBB7AADEF84710F250429FD08D7250EB35DC50D661
                                                                                                                                                                                                                            Function 00972F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00972A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00972AC0
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00972DA5,?,00000000,?,00000000,?), ref: 00972FC2
                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00972DA5,?,00000000,?,00000000,?), ref: 00972FFE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CodeInfoPageValid
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 546120528-0
                                                                                                                                                                                                                            • Opcode ID: 5cd70824c1dda3cac5d9ece2617a1426b5e62f071982b266822a8cc90e5f6469
                                                                                                                                                                                                                            • Instruction ID: eed31fe192cdfb5b1044d0e8181918d792046a0803cd1dad9a3f1a29d92585a8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5cd70824c1dda3cac5d9ece2617a1426b5e62f071982b266822a8cc90e5f6469
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A513572A043458EDB21CF35C881BABFBF8EF81300F14C56ED08A8B251E6799A45DB50
                                                                                                                                                                                                                            Function 0096E1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LCMapStringEx.KERNELBASE(?,0096EED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 0096E207
                                                                                                                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,0096EED2,?,?,-00000008,?,00000000), ref: 0096E225
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: String
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2568140703-0
                                                                                                                                                                                                                            • Opcode ID: 8a66d7a5dfe81d0bd2cc6f14791a6b34d55a560da2c9f370e454905423b59c8a
                                                                                                                                                                                                                            • Instruction ID: 43bbeb2c8ef03dd7f7fdb6defcb3ead30cdca8578ae19180752c0d6dcd31e4e3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a66d7a5dfe81d0bd2cc6f14791a6b34d55a560da2c9f370e454905423b59c8a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ABF07A3641011AFBCF126F91DC15EDE3F2AFF487A0F058410FA2826020C736D871AB90
                                                                                                                                                                                                                            Function 03213536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,0321518A), ref: 0321353D
                                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 03213544
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                                            • Opcode ID: 030c1b7e6d3118619fb56d66c22f47aaa81b3cf9a17c6d1c40069a7d488f257a
                                                                                                                                                                                                                            • Instruction ID: f89bd7da0dbea42754c4f0059c27b57bcc583ff4c9523ee3d78470115e047a90
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 030c1b7e6d3118619fb56d66c22f47aaa81b3cf9a17c6d1c40069a7d488f257a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5B092746112016AEE48A7A4AB0DB3A3618ABA4A03F044098B203A1048DA6880008620
                                                                                                                                                                                                                            Function 00972B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,00972DA5,?), ref: 00972B9B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Info
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1807457897-0
                                                                                                                                                                                                                            • Opcode ID: b997b9058630c05c88847758d3ba4bef07e842843757fe214ab22feeb2658fe2
                                                                                                                                                                                                                            • Instruction ID: 5194cfd33946e7f935c360a0bece30b1452c1d44d0eb071524950130ad01f4ca
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b997b9058630c05c88847758d3ba4bef07e842843757fe214ab22feeb2658fe2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F517AB29081589BDB128F28CD84BE9BB6CFB26304F1881E9E0CDD7142C3359D89DF60
                                                                                                                                                                                                                            Function 0095FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 0096037B
                                                                                                                                                                                                                              • Part of subcall function 0096106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0096038E,?,?,?,?,0096038E,?,00988484), ref: 009610CC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionRaisestdext::threads::lock_error::lock_error
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3447279179-0
                                                                                                                                                                                                                            • Opcode ID: a376e85fb4ebe97707649172942a77c48f27fd6d8896eba6d3157ad5e0ed8c4c
                                                                                                                                                                                                                            • Instruction ID: 09ca421da4f531ba8efa5f1450788b3ac7123b38e8adc5fe387ae6cdce276e9e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a376e85fb4ebe97707649172942a77c48f27fd6d8896eba6d3157ad5e0ed8c4c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34F0B43580020DF6CF04FAB6EC6AEAE772C5940364F544530BD68961E2EF70EA89C2D5
                                                                                                                                                                                                                            Function 00901460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00901477
                                                                                                                                                                                                                              • Part of subcall function 00913D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00913D89
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2103942186-0
                                                                                                                                                                                                                            • Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                                                                                                                                                                            • Instruction ID: 70979b34ae8df9e129f076421bc51c3dd2f8501518d483bad6f4f449a481b7af
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44F03C74E0110CAFCB04EFA8D4816ADB7B5EF84304F10C1A9E805973A5E630AF90CB81
                                                                                                                                                                                                                            Function 0096AC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0095FB1F,00000000,?,0091322C,00000000,?,009013A5,00000000), ref: 0096AC47
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                                                                            • Opcode ID: c0c107739861514d763b4ecd9e6da8aee30b0265a19aeec6d6544ffe457a5d9b
                                                                                                                                                                                                                            • Instruction ID: df0904fb2fe10e632257ecbda40dd3752e76e4ded808b15d6c8e4d42d170d2c3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c0c107739861514d763b4ecd9e6da8aee30b0265a19aeec6d6544ffe457a5d9b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBE09B31144A1597D7313675DD01B9BBB8C9F837A0F154161FD85B62D0DB6CCC009AA7
                                                                                                                                                                                                                            Function 00937B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00914B9E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                                                                            • Opcode ID: 930c961ef3e4aba7716d2a413517becee2821dc693c2f6447f013ab0002f152b
                                                                                                                                                                                                                            • Instruction ID: a8cbc5871b4cd2db522da54adec31332814a4d604e5ed1123ce6b0967e3354e0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 930c961ef3e4aba7716d2a413517becee2821dc693c2f6447f013ab0002f152b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3ED012B6A6820887CF209F68AC083BA7778F70431AB281589E95C47216DB3645559F40
                                                                                                                                                                                                                            Function 009013B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: allocator
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3447690668-0
                                                                                                                                                                                                                            • Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                                                                                                                                                                            • Instruction ID: 41d18de955cb9678c11fb8e4bbde9c99f75120d02f14e90fb3c769ec16c55a38
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2C09B7025410C5B8704DF88E491D59739D9BCD7107004155BC1D4B351CA30FD40C554
                                                                                                                                                                                                                            Function 0321407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(03215051,0321447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03213ECC), ref: 0321407E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                                            • Opcode ID: e0081fdfed77c3005203e36abc0c058fc7c5ec53a3234e0506cff07796e3dfe0
                                                                                                                                                                                                                            • Instruction ID: 96396746268df962f10b8371e4533b8e71730d5ebc67f514e3745843889728c3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0081fdfed77c3005203e36abc0c058fc7c5ec53a3234e0506cff07796e3dfe0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1CA022380303208BCA2C23382B2E00E30020EAA2F03230B8CB033C80C0EE28C2800000
                                                                                                                                                                                                                            Function 00927EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00918B81
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: c7c3534fc1f3aa2947ba74aa060a5f4597b6123af516db0913742584cfdb8484
                                                                                                                                                                                                                            • Instruction ID: 0b99a35f8680be3058b9851b378310326888938ca16f50b2cd2444de75777acb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7c3534fc1f3aa2947ba74aa060a5f4597b6123af516db0913742584cfdb8484
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F21E5B1D1592CCADB62CF24C9817EEB7B5EF52340F1092C6D44D66242DB345AC1AF50

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 03213EFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0321407D: GetFileAttributesW.KERNELBASE(03215051,0321447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03213ECC), ref: 0321407E
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 03213F5D
                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(03211710,?), ref: 03213FFE
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                                                                                                                                                                                                            • String ID: %s%s$%s\%s$%s\*
                                                                                                                                                                                                                            • API String ID: 674214967-2064654797
                                                                                                                                                                                                                            • Opcode ID: 464ddebfd1130fde0740ffbf73dca93fdba2d08ae1798d423b9d414f9bf7a3ca
                                                                                                                                                                                                                            • Instruction ID: 7ad12133166057fd315b767b1f376804eca5d07a692b81f2b684dfcbc2fdde5e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 464ddebfd1130fde0740ffbf73dca93fdba2d08ae1798d423b9d414f9bf7a3ca
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7311E7992031967CB25FA15CE44ABEB7FA9F60710F040194ED089B290DB71CFE68750
                                                                                                                                                                                                                            Function 00975458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,0097576A,00000002,00000000,?,?,?,0097576A,?,00000000), ref: 009754F1
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,0097576A,00000002,00000000,?,?,?,0097576A,?,00000000), ref: 0097551A
                                                                                                                                                                                                                            • GetACP.KERNEL32(?,?,0097576A,?,00000000), ref: 0097552F
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                                                                                            • Opcode ID: 0ceb587d4f97e2dfe2651f5a6bd9487ff29ea237ab2b20c537fdcd18d0e3a180
                                                                                                                                                                                                                            • Instruction ID: 8bf79b01ed7b0b3f76aa1a8eb6d54e1066ebca3928a0dcb8796741be084f2d3d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ceb587d4f97e2dfe2651f5a6bd9487ff29ea237ab2b20c537fdcd18d0e3a180
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E21A123600900AADBB08F54D905A9773ABBF50B65B67C424F90DD7120F7A2DE80C350
                                                                                                                                                                                                                            Function 00975634 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0097573C
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0097577A
                                                                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0097578D
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 009757D5
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 009757F0
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 415426439-0
                                                                                                                                                                                                                            • Opcode ID: 7d569712ea81acb8534c1c54f9c8ad7b1ac18602f188ccf0779ad1d1fcdadec2
                                                                                                                                                                                                                            • Instruction ID: 1849d1098d34b77ad53eb69999534f39746ea47aeca6ec610c1ec1906a242dd4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d569712ea81acb8534c1c54f9c8ad7b1ac18602f188ccf0779ad1d1fcdadec2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9516173910609AFEB54DFA4CC41BBE77BCBF44700F568429E918E7191EBB09A40CB61
                                                                                                                                                                                                                            Function 00974CBF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,009689B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00974D7E
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,009689B1,?,?,?,00000055,?,-00000050,?,?), ref: 00974DB5
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00974F18
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                                                                                                            • String ID: utf8
                                                                                                                                                                                                                            • API String ID: 607553120-905460609
                                                                                                                                                                                                                            • Opcode ID: 70f605b96c606096e484ed37092d44eb42587d52923c2617296e0e2bb910382d
                                                                                                                                                                                                                            • Instruction ID: 1ae743a22c9c54921ca18920803925d6509645bf5cef528ff156ca1ac06401f9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70f605b96c606096e484ed37092d44eb42587d52923c2617296e0e2bb910382d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A71C333A00206AADB25AB74DC46FBA73ACFF85710F158429F95DDB182FB74E940C661
                                                                                                                                                                                                                            Function 032140BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0321410D
                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(000000FF,?), ref: 03214159
                                                                                                                                                                                                                              • Part of subcall function 03213536: GetProcessHeap.KERNEL32(00000000,00000000,0321518A), ref: 0321353D
                                                                                                                                                                                                                              • Part of subcall function 03213536: RtlFreeHeap.NTDLL(00000000), ref: 03213544
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileFindHeap$FirstFreeNextProcess
                                                                                                                                                                                                                            • String ID: %s\%s$%s\*
                                                                                                                                                                                                                            • API String ID: 1689202581-2848263008
                                                                                                                                                                                                                            • Opcode ID: 3759d7db1fedf6575f4762445813155db837b4aaacf0b93b58672a9eff9af254
                                                                                                                                                                                                                            • Instruction ID: 1f0e78667b89b3e049933144ad57fed3e91b02ff47a5c20317bc474b8704bb4a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3759d7db1fedf6575f4762445813155db837b4aaacf0b93b58672a9eff9af254
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8931FC387303195BCB20FE6ACE8466E7BF9AF74750F144065D909CB241EB718AE18B90
                                                                                                                                                                                                                            Function 00960495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 009604A1
                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0096056D
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00960586
                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00960590
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                                                                            • Opcode ID: df8e4e5628c3fba465caa3fb14e659da39319b57f68b9e74a988561ae0f60285
                                                                                                                                                                                                                            • Instruction ID: e5bcb5747409dce86507c33ee09a68db637a1144ead00c2d842ea01cf38fb744
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df8e4e5628c3fba465caa3fb14e659da39319b57f68b9e74a988561ae0f60285
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6311875D152189BDF21DF64D9897CEBBB8BF48300F1041AAE40DAB250EB719A84CF44
                                                                                                                                                                                                                            Function 009750DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00975130
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0097517A
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00975240
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 661929714-0
                                                                                                                                                                                                                            • Opcode ID: 226bb7a195e8ac7e0a6fd90615c5d5c2a1214b8164797110604016d77fa54771
                                                                                                                                                                                                                            • Instruction ID: 704cb5c0084ec67773e3a7e0334f7db9d1f0e4d2d5da7a5734e2b3e13c2be30c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 226bb7a195e8ac7e0a6fd90615c5d5c2a1214b8164797110604016d77fa54771
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C61B272914A079FDBA89F28CC82B7A77B9FF44340F118079E919C6195F7B4D981CB50
                                                                                                                                                                                                                            Function 00964383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0096447B
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00964485
                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00964492
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                                                                            • Opcode ID: 82d24ee7d92e285f7946b544a9e0eac098332bd3727f5e1ae092431160e077a9
                                                                                                                                                                                                                            • Instruction ID: e4984a4bd0a40087ffac70a8a41c86ea198a66288d8ce1e396fb3738bdff8b99
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82d24ee7d92e285f7946b544a9e0eac098332bd3727f5e1ae092431160e077a9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5531C3759112289BCB21DF64DC89B8DBBB8BF48310F5042EAE40CA7260EB749F85CF44
                                                                                                                                                                                                                            Function 0096013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00960152
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                                                                                            • Opcode ID: 2c62017946c12bc66ba91b6e1cb5c85c510e310b1fc2eb82a52d0a2cfd99a414
                                                                                                                                                                                                                            • Instruction ID: e267236d26629bfff8577910a1005e71076e0a393ab74f21cc33824cd37b8a7b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c62017946c12bc66ba91b6e1cb5c85c510e310b1fc2eb82a52d0a2cfd99a414
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D95182B1D192058FEB15CFA5D8D67AEB7F4FB84310F28856AD406EB361D3789940CB50
                                                                                                                                                                                                                            Function 0097532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00975383
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                                                            • Opcode ID: dd7e2a08a1feede28ec7b3e713fee27ce06f32a9b2ce36eb8a4bc900a7060df5
                                                                                                                                                                                                                            • Instruction ID: a494fa9b0a5607b520417616e66edc68e7ab070010ff38e82cc062b77b531d06
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd7e2a08a1feede28ec7b3e713fee27ce06f32a9b2ce36eb8a4bc900a7060df5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B21B373615606ABDB189F14DC42B7A33BCEF84754F11807AF909D6151EBB8ED41CB50
                                                                                                                                                                                                                            Function 00974FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(009750DC,00000001,00000000,?,-00000050,?,00975710,00000000,?,?,?,00000055,?), ref: 00975028
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: a839646dba5f2fbbb74a1c3667fcd8e119e89e9c4db6222302bbe41abca9601f
                                                                                                                                                                                                                            • Instruction ID: cc7d665f3feeba560c556d08559ef5151680f538336a7a15933c1a3707953988
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a839646dba5f2fbbb74a1c3667fcd8e119e89e9c4db6222302bbe41abca9601f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65114C372007059FDB189F38C89167AB795FF84358B15842CE94E87740D3717843CB80
                                                                                                                                                                                                                            Function 0097555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,009752F8,00000000,00000000,?), ref: 0097558A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                                                            • Opcode ID: f74bfa87cff3bbe8ca4fcfb9caacb80d62d29ebc6ec6df5bd7ec7a33cfa2de02
                                                                                                                                                                                                                            • Instruction ID: 8cd3ae0b4b039eee553da980b4529b076fb2be16eaaef3efc52057fd9e300205
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f74bfa87cff3bbe8ca4fcfb9caacb80d62d29ebc6ec6df5bd7ec7a33cfa2de02
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DD01AE336106136FDB585624CC55BBB7769EF40754F168429FD0AE3180EAB4FE41C690
                                                                                                                                                                                                                            Function 00975051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(0097532F,00000001,00000000,?,-00000050,?,009756D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0097509B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: 62af10e13f93f6f7f7728f8650794ad327003886dc142a33aab1dc57a833c3c6
                                                                                                                                                                                                                            • Instruction ID: e9e36a83b1b83cd3c7793bfb5811abe2ea7c1b9fa00645d26fc7fe6594b072f6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62af10e13f93f6f7f7728f8650794ad327003886dc142a33aab1dc57a833c3c6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBF0C237300B045FDB246F399881A6A7BA5EB80368B06842DF94E4B690D6B19C42C690
                                                                                                                                                                                                                            Function 0096DBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 009649CA: EnterCriticalSection.KERNEL32(-0098B8A8,?,009676D7,00000000,00988C40,0000000C,0096769F,?,?,0096DB90,?,?,0096AA8E,00000001,00000364,00000000), ref: 009649D9
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(0096DBBA,00000001,00988E30,0000000C,0096DF92,00000000), ref: 0096DBFF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                                                                                            • Opcode ID: 4b9c85a5067e4b5eddafe5d554224c90f71e2af5153a575476d9027e52db9ac5
                                                                                                                                                                                                                            • Instruction ID: e32d7d09c39ef368e0cdda5b0c3b25e7e40ca871efc61ec98837d6322420c176
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b9c85a5067e4b5eddafe5d554224c90f71e2af5153a575476d9027e52db9ac5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2F03732A55204DFD700EF98E842B9E77B0FB89725F10416AE4149B3A1CBB95900DB90
                                                                                                                                                                                                                            Function 00974F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: GetLastError.KERNEL32(?,?,009671B7,?,?,?,?,00000003,00964382,?,009642F1,?,00000000,00964500), ref: 0096A8F4
                                                                                                                                                                                                                              • Part of subcall function 0096A8F0: SetLastError.KERNEL32(00000000,00000000,00964500,?,?,?,?,?,00000000,?,?,0096459E,00000000,00000000,00000000,00000000), ref: 0096A996
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00974EC4,00000001,00000000,?,?,00975732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00974FA2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: 3d6246dd598e92d10786a7cd24f3d4db5b5df47be422c1bcb2390b7774bd9607
                                                                                                                                                                                                                            • Instruction ID: 560faa1c8b310072a45b8ab9cfbad8b789ded33eb525481bc9401852166e26d3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d6246dd598e92d10786a7cd24f3d4db5b5df47be422c1bcb2390b7774bd9607
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06F0E5377402455BCF049F39D84566ABFA8FFC1764B068059EE098B692D7719882C790
                                                                                                                                                                                                                            Function 0096E096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00969527,?,20001004,00000000,00000002,?,?,00968B19), ref: 0096E0CA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                                                            • Opcode ID: 676856b9c619d1a4adbfc9b7930c9b28fbb14b114c877700c77a6da632505471
                                                                                                                                                                                                                            • Instruction ID: fc5fcba1426369a9c0bf77afd6f43ccf3af56f218749073e708615e717f0ecc3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 676856b9c619d1a4adbfc9b7930c9b28fbb14b114c877700c77a6da632505471
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45E04F3A51812CBBCF122F61DC04F9E7F2AFF44760F044410FC1966161CB769920EAD5
                                                                                                                                                                                                                            Function 00960622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,0095FC56), ref: 00960627
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                                                            • Opcode ID: 50994ca3c1933b0c9e3dc0064db502b622eb96a083f01dc5b843dd49c7582f77
                                                                                                                                                                                                                            • Instruction ID: dc5e2d1426447ae0caf03b25a158eced5af60e825637bc5fe517481107738cc8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50994ca3c1933b0c9e3dc0064db502b622eb96a083f01dc5b843dd49c7582f77
                                                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                                                            Function 00975891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                            • Opcode ID: 0fdeae65b71857ea9c333daa12f9a3282297e05050290b183365b179d8527097
                                                                                                                                                                                                                            • Instruction ID: 41ce1d9c34b783a665c576eddd1f1bf69cb70433d9c5b3ad79716ad77563d790
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0fdeae65b71857ea9c333daa12f9a3282297e05050290b183365b179d8527097
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCA00271529146CB57405F755F0920937F5A645591B4541555505C5160D7244450AB05
                                                                                                                                                                                                                            Function 032142EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,03214574), ref: 03214305
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0321430E
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03214574), ref: 0321431F
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03214322
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03214574), ref: 032143A4
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(03214574,00000000,00000000,00000002,?,?,?,?,03214574), ref: 032143C0
                                                                                                                                                                                                                            • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03214574), ref: 032143CF
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(03214574,?,?,?,?,03214574), ref: 032143FF
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(03214574,00000000,00000000,00000001,?,?,?,?,03214574), ref: 0321440D
                                                                                                                                                                                                                            • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03214574), ref: 0321441C
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,03214574), ref: 0321442F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 03214452
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0321445A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                                                                                                                                                                                                                            • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                                                                                                                                                                                                                            • API String ID: 3110323036-2044536123
                                                                                                                                                                                                                            • Opcode ID: 9dda8fdb5c0b4d22455dedfa059e6fb7f0a773a30da7d9647fc3e9ca80ae790d
                                                                                                                                                                                                                            • Instruction ID: d6ece523f24594397374387dd7ad84e28c08a8fbab3dd3b5f5d6d23cd594759d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9dda8fdb5c0b4d22455dedfa059e6fb7f0a773a30da7d9647fc3e9ca80ae790d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0441C871A10216BBDB10EBE69E489AFBBF9EFA4710F144155F914D7140DB70CA90DB90
                                                                                                                                                                                                                            Function 00903930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                                                                            • API String ID: 3904239083-1405518554
                                                                                                                                                                                                                            • Opcode ID: 0a34e1a0aab33d5c25c1b39223f44f1f11e3e85aa973e706b4f6be33356e3b78
                                                                                                                                                                                                                            • Instruction ID: 303a66c4b8500bad3b44356aa75e9a73df6ac8fa90c9ad48c40157f4712a8c77
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a34e1a0aab33d5c25c1b39223f44f1f11e3e85aa973e706b4f6be33356e3b78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F215EB090424ADFCF04EB98C955BBEBB75AF84308F14455CE5122B3C2CB755A04C765
                                                                                                                                                                                                                            Function 03212991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                                                                            • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                                                                                                                                                                                                                            • API String ID: 1302938615-1267642376
                                                                                                                                                                                                                            • Opcode ID: eb2e00f196d6b3fe085e761ce6d1750a5548bee9fbfc82de64ecf33cb6963dc8
                                                                                                                                                                                                                            • Instruction ID: 520559f39a0fe91b73fcedc2bded77e2f19a10f1aa40e195de83b5da7504515d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb2e00f196d6b3fe085e761ce6d1750a5548bee9fbfc82de64ecf33cb6963dc8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C918971624306CFCB25CF28C58062BFBE9EFA4204F188D6EF49A87651D770AAD1CB51
                                                                                                                                                                                                                            Function 009632E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00963400
                                                                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 0096350E
                                                                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00963660
                                                                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 0096367B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                            • API String ID: 2751267872-393685449
                                                                                                                                                                                                                            • Opcode ID: c6678053808068013fc95ece9f4dcfbad0c929404de6a85ddc78983a8cbc04c7
                                                                                                                                                                                                                            • Instruction ID: 03196798848815a1c59610a70346e94e8ff05ddea9a7e9626c8331109a8793eb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6678053808068013fc95ece9f4dcfbad0c929404de6a85ddc78983a8cbc04c7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8B16771C00209EFCF15DFA4C982AAEBBB9BF58310B14855AF8166B212D735DB51CF91
                                                                                                                                                                                                                            Function 00971338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-3907804496
                                                                                                                                                                                                                            • Opcode ID: c3e8a14123e39c2ad91ce81c63390b6c4bad9072a665e37ffa0e0348f74ae0d7
                                                                                                                                                                                                                            • Instruction ID: a98320ff58921435af8e72efb8afbd0c2bb85e43c91743b18b62a3dbdf2f4188
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3e8a14123e39c2ad91ce81c63390b6c4bad9072a665e37ffa0e0348f74ae0d7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6B1D172E04249EFDB15DFADC881BAD7BB9BF85350F188158F50A9B392C7709942CB60
                                                                                                                                                                                                                            Function 03211F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetUserDefaultUILanguage.KERNEL32 ref: 03211F90
                                                                                                                                                                                                                            • GetKeyboardLayoutList.USER32(00000032,?), ref: 03211FF2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DefaultKeyboardLanguageLayoutListUser
                                                                                                                                                                                                                            • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                                                                                                                                                                                                            • API String ID: 167087913-619012376
                                                                                                                                                                                                                            • Opcode ID: e8955a02e3e40d2e340fb6d219b80d62bc3e14851eaa79fada2f126d430ede37
                                                                                                                                                                                                                            • Instruction ID: 7072a2fb04719c17107308c695e4e65063b3fe43468fb814d3bf29c6689c0526
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8955a02e3e40d2e340fb6d219b80d62bc3e14851eaa79fada2f126d430ede37
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3331D514E28388A9DB01DFE8E5017FDBBB0AF34701F005096F648FA281D7794BA5C76A
                                                                                                                                                                                                                            Function 0096DD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,3E89E666,?,0096DEA3,00000000,009013A5,00000000,00000000), ref: 0096DE55
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                            • API String ID: 3664257935-537541572
                                                                                                                                                                                                                            • Opcode ID: f1914e8290618265748b47f47e7fcebaa806190e513166cb6704d76f11247bf2
                                                                                                                                                                                                                            • Instruction ID: dea0103dfc63e997ebd417ac890cd2e51c34b739d9a9532df4cd96f8327999a4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1914e8290618265748b47f47e7fcebaa806190e513166cb6704d76f11247bf2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B21D272F16210ABCB229B61DC41B5E376CDFA27A0F250510E92AAB2D0D731ED40DAE1
                                                                                                                                                                                                                            Function 0095E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0095E51D
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0095E527
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 0095E53E
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::_Lockit.LIBCPMT ref: 009046E6
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00904710
                                                                                                                                                                                                                            • codecvt.LIBCPMT ref: 0095E561
                                                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0095E578
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0095E598
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 0095E5A5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2133458128-0
                                                                                                                                                                                                                            • Opcode ID: eee9edc44b744fe6cbca1083280430439b7fcebc452442b98c67764543ca4331
                                                                                                                                                                                                                            • Instruction ID: 749c336797cd4b84ef5a37acb0ebdaaf0311bb7e783718bb9619f5f7f5ef6a42
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eee9edc44b744fe6cbca1083280430439b7fcebc452442b98c67764543ca4331
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D11B1B29103199FCB14EBA5D8467AE77B9BFC4321F144509F805AB291EFB49E05CB90
                                                                                                                                                                                                                            Function 0095D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0095D7AF
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0095D7B9
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 0095D7D0
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::_Lockit.LIBCPMT ref: 009046E6
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00904710
                                                                                                                                                                                                                            • codecvt.LIBCPMT ref: 0095D7F3
                                                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0095D80A
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0095D82A
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 0095D837
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2133458128-0
                                                                                                                                                                                                                            • Opcode ID: ce6f52b58b8f42670eee5643e6dba8dd41d7727601a14f1f3d02b76e3a84b763
                                                                                                                                                                                                                            • Instruction ID: fdd998702cf42173a692d3b2e2d4f7c6fd7c81e02c33585182ce849e480a2075
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce6f52b58b8f42670eee5643e6dba8dd41d7727601a14f1f3d02b76e3a84b763
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA01C0B591021A9FCB11EBA19C467AE77B5BFC4311F140108E8116B291CF749E09C780
                                                                                                                                                                                                                            Function 0095F8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0095F927
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0095F992
                                                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0095F9AF
                                                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0095F9EE
                                                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0095FA4D
                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0095FA70
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ByteCharMultiStringWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2829165498-0
                                                                                                                                                                                                                            • Opcode ID: 6db1cc97b45e6bc588621d8344c77aa1abbe063a9b6d5a36eeb1db784ff6a585
                                                                                                                                                                                                                            • Instruction ID: eb8e13f6447d4b02367ce7b39c5ee3e01fd367ef4169c7a5510b5a83202b9137
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6db1cc97b45e6bc588621d8344c77aa1abbe063a9b6d5a36eeb1db784ff6a585
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED51B07291020ABBEF20DFA6CC55FAB7BA9EB44761F104435FD09E6150E7748C18DB91
                                                                                                                                                                                                                            Function 03213084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: x
                                                                                                                                                                                                                            • API String ID: 0-2363233923
                                                                                                                                                                                                                            • Opcode ID: 5ab4f095a449cb9e1815577a4fbee0d4742d840bb254c61cffccd7215ad8900a
                                                                                                                                                                                                                            • Instruction ID: df44f9605549f2f4ed5d6305719c2de1166bc87a777a335860c189f05ad32cbc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ab4f095a449cb9e1815577a4fbee0d4742d840bb254c61cffccd7215ad8900a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8602C278E2020ADFCB41DF98CA84AADB7F5FF18304F148456E926EB250D770AA61CF51
                                                                                                                                                                                                                            Function 00962FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00962FA1,009616DC,00960672), ref: 00962FB8
                                                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00962FC6
                                                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00962FDF
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00962FA1,009616DC,00960672), ref: 00963031
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                                                            • Opcode ID: 6873e58fb9a30a3663052377490f8f6ed9bbf0f432434d0f5f5d26851f3bbfbb
                                                                                                                                                                                                                            • Instruction ID: af062cd83d1a9def50f3a6c16905a3eccda56252405a4b18731232506b9dc2b6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6873e58fb9a30a3663052377490f8f6ed9bbf0f432434d0f5f5d26851f3bbfbb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3901203212D7226DB7252FF47D85B1B2669EBA3B70730032AF110691E0EF554C457345
                                                                                                                                                                                                                            Function 009680CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3E89E666,?,?,00000000,00978AEC,000000FF,?,009680A8,?,?,0096807C,00000000), ref: 00968101
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00968113
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00978AEC,000000FF,?,009680A8,?,?,0096807C,00000000), ref: 00968135
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                            • Opcode ID: 0599e83ea275b5374285f732d0101e0ea41b4a87303463b30007e6bf9c46a486
                                                                                                                                                                                                                            • Instruction ID: 09a4a0239bf22187bf4e84c3d1a752ac40a0d7742e5e6bd64d1925793502ad42
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0599e83ea275b5374285f732d0101e0ea41b4a87303463b30007e6bf9c46a486
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E401DB32568515EFDB119F54CC09BAFBBBCFB45B18F004625F815A22A0EF789840DB50
                                                                                                                                                                                                                            Function 00901E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00901E40
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 00901E59
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::_Lockit.LIBCPMT ref: 009046E6
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00904710
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00901E99
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00901F01
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3053331623-0
                                                                                                                                                                                                                            • Opcode ID: aba125f2a2cea76c8204111a04cf53d16f5f360eef8eb89480e037f1b0587172
                                                                                                                                                                                                                            • Instruction ID: 1a285631d17745b15d258805ec76387b01cd066cb8b05ec56078805f72b7934a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aba125f2a2cea76c8204111a04cf53d16f5f360eef8eb89480e037f1b0587172
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55312BB5D00209DFCB04EF98D892BEEBBB4BF58310F204619E925673D1DB346A44CBA1
                                                                                                                                                                                                                            Function 00901F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00901F40
                                                                                                                                                                                                                            • int.LIBCPMTD ref: 00901F59
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::_Lockit.LIBCPMT ref: 009046E6
                                                                                                                                                                                                                              • Part of subcall function 009046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00904710
                                                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMTD ref: 00901F99
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00902001
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3053331623-0
                                                                                                                                                                                                                            • Opcode ID: c59008b82436e7bdd62a07cd17c6ee993e88a4718f93e8a20a819beb433a5e22
                                                                                                                                                                                                                            • Instruction ID: 5eb32b9ba13fe09ecec32d54b36d301d7cda52828fc41c1b8edd6d381a30701c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c59008b82436e7bdd62a07cd17c6ee993e88a4718f93e8a20a819beb433a5e22
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 583138B1D0420ADFCB04EF94D882BEEBBB4BF48310F204219E51567391DB745A44CBA1
                                                                                                                                                                                                                            Function 0095CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0095CE44
                                                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0095CE4F
                                                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0095CEBD
                                                                                                                                                                                                                              • Part of subcall function 0095CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0095CFB8
                                                                                                                                                                                                                            • std::locale::_Setgloballocale.LIBCPMT ref: 0095CE6A
                                                                                                                                                                                                                            • _Yarn.LIBCPMT ref: 0095CE80
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1088826258-0
                                                                                                                                                                                                                            • Opcode ID: 55e3a66a6b3df4ac316636ffa430aaa13e2337dc9bf5f3920dad7c68a7b9ae81
                                                                                                                                                                                                                            • Instruction ID: 8ff2a2aa03d3a5a6fe775552facc5cb4300f4bddb8cd1fbd88886299bc6925ce
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55e3a66a6b3df4ac316636ffa430aaa13e2337dc9bf5f3920dad7c68a7b9ae81
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C201BCB6A182119FC705EB21D89AA7D7B76FFC8341B184008EC025B391CF786E4ADBC1
                                                                                                                                                                                                                            Function 00964072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00964023,00000000,?,0098B824,?,?,?,009641C6,00000004,InitializeCriticalSectionEx,0097B270,InitializeCriticalSectionEx), ref: 0096407F
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00964023,00000000,?,0098B824,?,?,?,009641C6,00000004,InitializeCriticalSectionEx,0097B270,InitializeCriticalSectionEx,00000000,?,00963F7D), ref: 00964089
                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 009640B1
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                            • Opcode ID: 5983799853dfabc123dd01e3f4599a495b2250279f140cb3b0e9c367336a0127
                                                                                                                                                                                                                            • Instruction ID: 84d5054f2a5e79e5578b827d03bc766fdc33c81e9550c96dd2b3345c7600ebd4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5983799853dfabc123dd01e3f4599a495b2250279f140cb3b0e9c367336a0127
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86E04F31694218FBEF202BA0EC06F593BA8DB50B54F104020FE0CE80E1E763D890A9DA
                                                                                                                                                                                                                            Function 0096F497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(3E89E666,00000000,00000000,00000000), ref: 0096F4FA
                                                                                                                                                                                                                              • Part of subcall function 00971EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0096EF8D,?,00000000,-00000008), ref: 00971F1E
                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0096F74C
                                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0096F792
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0096F835
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                                                                                            • Opcode ID: 20ccf7691fbc7842f1cef7a6982eaba450f9c56fd51b9118ccefe102d892980e
                                                                                                                                                                                                                            • Instruction ID: 3239f5fe54d0ee5a20ad0c14f5ed5750aa482d9af7ce0a628764038bbc25f238
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20ccf7691fbc7842f1cef7a6982eaba450f9c56fd51b9118ccefe102d892980e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35D19D76D042499FCF15CFE8E890AADBBB5FF49300F28456AE426EB351D730A946CB50
                                                                                                                                                                                                                            Function 0096308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1740715915-0
                                                                                                                                                                                                                            • Opcode ID: b3e02872b995adf85922d7b43d9499c5dd8bdaa4bf51705b4d575f09ab4ec1c6
                                                                                                                                                                                                                            • Instruction ID: c1023b8d3059c28c99c8e3a0c3a01f6e55c14d353e3afb86e7ad27d16ab760dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3e02872b995adf85922d7b43d9499c5dd8bdaa4bf51705b4d575f09ab4ec1c6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3512676A08206AFDB298F20D891BBAB7A9FF85310F15C52DEC0687291D735EE45C790
                                                                                                                                                                                                                            Function 0097227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00971EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0096EF8D,?,00000000,-00000008), ref: 00971F1E
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 009722DE
                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 009722E5
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0097231F
                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00972326
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1913693674-0
                                                                                                                                                                                                                            • Opcode ID: c19ff7b5b62af6853e05d2034d6ee2f47e245b673ed5a5ef47c8e667bb3d8aec
                                                                                                                                                                                                                            • Instruction ID: 7353c5da2d3682564ea069a36ce08e79165cd7c064df9c68d70b161ac850b39f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c19ff7b5b62af6853e05d2034d6ee2f47e245b673ed5a5ef47c8e667bb3d8aec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E21F233214306AFDB24AF618881E6ABBADEF84764710C918F82D87242D734ED4087A0
                                                                                                                                                                                                                            Function 00967478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: befb5d44b94c7377bec1855f3c2da23ffeeaa015ccca3506dce94da8a6e2cf46
                                                                                                                                                                                                                            • Instruction ID: 254cca9494ea22eb21d239b5d79e9af3381e41d18954c296ea31af77735eb40c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: befb5d44b94c7377bec1855f3c2da23ffeeaa015ccca3506dce94da8a6e2cf46
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA218471608615AFDB20AFB5DC44E6BFBADEF803AC7108954F81AD7160EB70ED5097A0
                                                                                                                                                                                                                            Function 0097321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00973226
                                                                                                                                                                                                                              • Part of subcall function 00971EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0096EF8D,?,00000000,-00000008), ref: 00971F1E
                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0097325E
                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0097327E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 158306478-0
                                                                                                                                                                                                                            • Opcode ID: b21a9c014b786a2b9612d9829f49829bad9728b2e2cefdb621d03bf85f2bf751
                                                                                                                                                                                                                            • Instruction ID: 1388a42313b994a80120c21f377fd669388a903d8cd5b82a39f158c8dda42e56
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b21a9c014b786a2b9612d9829f49829bad9728b2e2cefdb621d03bf85f2bf751
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6711D6B36195157FA71137B55CCEDBF39ACDEC93A87108524F80AD1102FE24CE41A671
                                                                                                                                                                                                                            Function 00977C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00976B6B,00000000,00000001,0000000C,00000000,?,0096F889,00000000,00000000,00000000), ref: 00977C52
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00976B6B,00000000,00000001,0000000C,00000000,?,0096F889,00000000,00000000,00000000,00000000,00000000,?,0096FE2C,?), ref: 00977C5E
                                                                                                                                                                                                                              • Part of subcall function 00977C24: CloseHandle.KERNEL32(FFFFFFFE,00977C6E,?,00976B6B,00000000,00000001,0000000C,00000000,?,0096F889,00000000,00000000,00000000,00000000,00000000), ref: 00977C34
                                                                                                                                                                                                                            • ___initconout.LIBCMT ref: 00977C6E
                                                                                                                                                                                                                              • Part of subcall function 00977BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00977C15,00976B58,00000000,?,0096F889,00000000,00000000,00000000,00000000), ref: 00977BF9
                                                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00976B6B,00000000,00000001,0000000C,00000000,?,0096F889,00000000,00000000,00000000,00000000), ref: 00977C83
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                                                                            • Opcode ID: 501f66e653a7685a097d744135fe16f5a2e2e2cba1739b4bd393e4cfa94770a6
                                                                                                                                                                                                                            • Instruction ID: f68c0cb10d10976dd07d997b862fc798a0ca2545f09aa4478a78f5959c666a14
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 501f66e653a7685a097d744135fe16f5a2e2e2cba1739b4bd393e4cfa94770a6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89F03037519115BBCF221FD5DC08E897F2AFB497A0F098050FA0D85630C6328860EB95
                                                                                                                                                                                                                            Function 03212C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 03213508: EnterCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 03213512
                                                                                                                                                                                                                              • Part of subcall function 03213508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,032151B7), ref: 0321351B
                                                                                                                                                                                                                              • Part of subcall function 03213508: RtlAllocateHeap.NTDLL(00000000,?,?,032151B7), ref: 03213522
                                                                                                                                                                                                                              • Part of subcall function 03213508: LeaveCriticalSection.KERNEL32(032184D4,?,?,032151B7), ref: 0321352B
                                                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03212E3D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3357011291.0000000003210000.00000040.00001000.00020000.00000000.sdmp, Offset: 03210000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_3210000_EDA0.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                                                                                                                                                                                                            • String ID: x
                                                                                                                                                                                                                            • API String ID: 1990697408-2363233923
                                                                                                                                                                                                                            • Opcode ID: d5e742db767e12b6d5aa06c5c5124fe83173fd5fc63ba85d64b217efeca34ac7
                                                                                                                                                                                                                            • Instruction ID: deed09abc824d0466dd66d857b466b884b5ec70234863e8541f67576c8c5c658
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5e742db767e12b6d5aa06c5c5124fe83173fd5fc63ba85d64b217efeca34ac7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8802BE7491424AEFCF11CF98DA84AADBBF0FB19310F148895E855EB250D770AAA1CF51
                                                                                                                                                                                                                            Function 0096BBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 0096BC8D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                                                                            • String ID: pow
                                                                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                            • Opcode ID: 52df50870dcd82ff399a197cff76fe00b2d1c8df6f7851ab1ae9c1f44a266cd4
                                                                                                                                                                                                                            • Instruction ID: 8b149adfffe658a42745573b626c5b659f175724407912e003e7cbf418de5715
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52df50870dcd82ff399a197cff76fe00b2d1c8df6f7851ab1ae9c1f44a266cd4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E515DE291810296C7117B18CD513793B98EB90740F208D69F4DAC62E9FF3D8DD5AB45
                                                                                                                                                                                                                            Function 00962DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00962DEF
                                                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00962EA3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                            • Opcode ID: 070746d3d543711a773f17a46961c87dfb9727a002ee5c1219b79cd0a687d122
                                                                                                                                                                                                                            • Instruction ID: 031cd825db9daf9ca8aad9b308b084322a50a0189299ee3ce82db8a81abe349b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 070746d3d543711a773f17a46961c87dfb9727a002ee5c1219b79cd0a687d122
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED41B334E006099BCF11DF68C884B9EBBB9BF85324F14C165E8186B392D73ADE15CB91
                                                                                                                                                                                                                            Function 00963686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 009636AB
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000009.00000002.3348982230.0000000000901000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00900000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3348946363.0000000000900000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349069499.0000000000979000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349098844.000000000098A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349123617.000000000098B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000009.00000002.3349149030.000000000098C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_9_2_900000_EDA0.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                            • Opcode ID: a8b3dbaa32ee8c985c14171f70909f191500ffd910b167cf3982b6d56843f8ac
                                                                                                                                                                                                                            • Instruction ID: d3a6a2708cf77c5d074792425fe0997f69743b41ae7313311662c4536b3f9a57
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8b3dbaa32ee8c985c14171f70909f191500ffd910b167cf3982b6d56843f8ac
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00416BB1900209AFDF15DF98CD82AEEBBB9FF48300F188159F909A7261D335AA50DF50