Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JuHVfiAuLo.exe

Overview

General Information

Sample name:JuHVfiAuLo.exe
renamed because original name is a hash value
Original sample name:0c653f386efe0b014ffc681b49120706.exe
Analysis ID:1466598
MD5:0c653f386efe0b014ffc681b49120706
SHA1:dd7ddec0bae7270469fa6cfb9d3d0b7f0c170b54
SHA256:a6c2a7ffb68b797967ad979e51a1330e9f16223e4f5dc8500b0a58741176f83c
Tags:exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JuHVfiAuLo.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\JuHVfiAuLo.exe" MD5: 0C653F386EFE0B014FFC681B49120706)
    • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • 37A.exe (PID: 2464 cmdline: C:\Users\user\AppData\Local\Temp\37A.exe MD5: BD2EAC64CBDED877608468D86786594A)
      • 2C50.exe (PID: 4128 cmdline: C:\Users\user\AppData\Local\Temp\2C50.exe MD5: 60172CA946DE57C3529E9F05CC502870)
        • setup.exe (PID: 5096 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)
          • GamePall.exe (PID: 6812 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2944 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6304 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3836 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 996 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 2768 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1316 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 4268 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6056 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6912 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1508 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 2064 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3696 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 2828 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3216 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 368 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 764 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 4272 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3672 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 5916 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 1460 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • 56AD.exe (PID: 4936 cmdline: C:\Users\user\AppData\Local\Temp\56AD.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)
  • ifgewai (PID: 2168 cmdline: C:\Users\user\AppData\Roaming\ifgewai MD5: 0C653F386EFE0B014FFC681B49120706)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000006.00000003.1853300930.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
        • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        12.2.56AD.exe.39b0000.3.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          12.2.56AD.exe.1218f80.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            12.2.56AD.exe.125e8a0.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              12.2.56AD.exe.39b0000.3.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                12.2.56AD.exe.125e8a0.1.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 5096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\ifgewai, CommandLine: C:\Users\user\AppData\Roaming\ifgewai, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ifgewai, NewProcessName: C:\Users\user\AppData\Roaming\ifgewai, OriginalFileName: C:\Users\user\AppData\Roaming\ifgewai, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\ifgewai, ProcessId: 2168, ProcessName: ifgewai

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: JuHVfiAuLo.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://foodypannyjsud.shop/wAvira URL Cloud: Label: malware
                  Source: http://gebeus.ru/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: http://cx5519.com/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: contintnetksows.shopAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/JAvira URL Cloud: Label: malware
                  Source: http://evilos.cc/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/pi_Avira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/apinAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/apioAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/piVAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/apiwAvira URL Cloud: Label: malware
                  Source: ellaboratepwsz.xyzAvira URL Cloud: Label: malware
                  Source: swellfrrgwwos.xyzAvira URL Cloud: Label: malware
                  Source: foodypannyjsud.shopAvira URL Cloud: Label: malware
                  Source: pedestriankodwu.xyzAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeAvira: detection malicious, Label: HEUR/AGEN.1313486
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Found malware configuration
                  Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
                  Source: 12.2.56AD.exe.39b0000.3.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
                  Source: 37A.exe.2464.6.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "bOKHNM--"}
                  Multi AV Scanner detection for domain / URL
                  Source: http://gebeus.ru/tmp/index.phpVirustotal: Detection: 15%Perma Link
                  Source: http://cx5519.com/tmp/index.phpVirustotal: Detection: 11%Perma Link
                  Source: contintnetksows.shopVirustotal: Detection: 15%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeReversingLabs: Detection: 16%
                  Source: C:\Users\user\AppData\Roaming\ifgewaiReversingLabs: Detection: 39%
                  Multi AV Scanner detection for submitted file
                  Source: JuHVfiAuLo.exeReversingLabs: Detection: 39%
                  Source: JuHVfiAuLo.exeVirustotal: Detection: 37%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: JuHVfiAuLo.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B1C94 CryptUnprotectData,CryptProtectData,12_2_039B1C94
                  Source: JuHVfiAuLo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbc source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.14.dr
                  Source: Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.14.dr
                  Source: Binary string: ntkrnlmp.pdbx source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbY source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000F.00000000.2985165110.00000000001C2000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 56AD.exe, 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.14.dr
                  Source: Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.14.dr
                  Source: Binary string: ntkrnlmp.pdbb source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1389
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004B24BD FindFirstFileExW,12_2_004B24BD
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,12_2_039B1000
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,12_2_039B4E27
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B1D3C FindFirstFileW,FindNextFileW,12_2_039B1D3C
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B40BA FindFirstFileW,FindNextFileW,12_2_039B40BA
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B3EFC FindFirstFileW,FindNextFileW,12_2_039B3EFC
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 2.185.214.11 80Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: pedestriankodwu.xyz
                  Source: Malware configuration extractorURLs: towerxxuytwi.xyz
                  Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
                  Source: Malware configuration extractorURLs: penetratedpoopp.xyz
                  Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
                  Source: Malware configuration extractorURLs: contintnetksows.shop
                  Source: Malware configuration extractorURLs: foodypannyjsud.shop
                  Source: Malware configuration extractorURLs: potterryisiw.shop
                  Source: Malware configuration extractorURLs: potterryisiw.shop
                  Source: Malware configuration extractorURLs: http://evilos.cc/tmp/index.php
                  Source: Malware configuration extractorURLs: http://gebeus.ru/tmp/index.php
                  Source: Malware configuration extractorURLs: http://office-techs.biz/tmp/index.php
                  Source: Malware configuration extractorURLs: http://cx5519.com/tmp/index.php
                  Source: Malware configuration extractorURLs: 146.70.169.164:2227
                  Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                  Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                  Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_00445B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,12_2_00445B80
                  Source: GamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
                  Source: GamePall.exe, 0000001E.00000002.3413359163.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity=4
                  Source: GamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
                  Source: GamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/1352358
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/275944
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/378067
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/437891.
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/456214
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/497301
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/510270
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/514696
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/642141
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/672186).
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/717501
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/775961
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/819404
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/839189
                  Source: resources.pak.14.drString found in binary or memory: http://crbug.com/957772
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                  Source: explorer.exe, 00000002.00000000.1434205230.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
                  Source: 2C50.exe, 00000008.00000000.1867070648.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000E.00000003.2986001329.000000000073A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000E.00000000.2673100697.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                  Source: 2C50.exe, 00000008.00000000.1867070648.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000E.00000003.2986001329.000000000073A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000E.00000000.2673100697.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: explorer.exe, 00000002.00000000.1433769568.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1435122753.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1435111090.0000000007710000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/).
                  Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/
                  Source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: 37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: 2C50.exe, 00000008.00000003.1871311133.0000000003070000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
                  Source: explorer.exe, 00000002.00000000.1434593106.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                  Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                  Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
                  Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee(
                  Source: 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/l
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: resources.pak.14.drString found in binary or memory: https://chrome.google.com/webstore
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                  Source: af.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: af.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=afCtrl$1
                  Source: hi.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: hi.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
                  Source: ja.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: ja.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=jaCtrl$1
                  Source: mr.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: mr.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=mrCtrl$1
                  Source: ms.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: ms.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=msCtrl$1
                  Source: tr.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: tr.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=trCtrl$1
                  Source: ur.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: ur.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
                  Source: vi.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: vi.pak.14.drString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, af.pak.14.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                  Source: resources.pak.14.drString found in binary or memory: https://chromewebstore.google.com/
                  Source: resources.pak.14.drString found in binary or memory: https://codereview.chromium.org/25305002).
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: resources.pak.14.drString found in binary or memory: https://crbug.com/1201800
                  Source: resources.pak.14.drString found in binary or memory: https://crbug.com/1245093):
                  Source: resources.pak.14.drString found in binary or memory: https://crbug.com/1446731
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                  Source: 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/
                  Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/J
                  Source: 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878559703.0000000000C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api
                  Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiN
                  Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apin
                  Source: 37A.exe, 00000006.00000002.1912240377.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878333229.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871396191.0000000000C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apio
                  Source: 37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiw
                  Source: 37A.exe, 00000006.00000003.1853429053.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ks4
                  Source: 37A.exe, 00000006.00000003.1853429053.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ksx
                  Source: 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi
                  Source: 37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/piV
                  Source: 37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi_
                  Source: 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/w
                  Source: 37A.exe, 00000006.00000003.1910649634.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878486202.0000000003AF2000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910950384.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1913522906.0000000003AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop:443/api
                  Source: 37A.exe, 00000006.00000003.1853092174.0000000003AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop:443/apicrosoft
                  Source: Newtonsoft.Json.xml.14.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://myactivity.google.com/
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                  Source: ur.pak.14.drString found in binary or memory: https://passwords.google.com
                  Source: ms.pak.14.drString found in binary or memory: https://passwords.google.comAkaun
                  Source: tr.pak.14.dr, hi.pak.14.dr, mr.pak.14.dr, ja.pak.14.drString found in binary or memory: https://passwords.google.comGoogle
                  Source: af.pak.14.drString found in binary or memory: https://passwords.google.comGoogle-rekeningGestoorde
                  Source: vi.pak.14.drString found in binary or memory: https://passwords.google.comT
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://policies.google.com/
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, af.pak.14.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
                  Source: tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                  Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: GamePall.exe, 00000014.00000002.3097288070.00000000055D6000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
                  Source: 56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
                  Source: explorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: resources.pak.14.drString found in binary or memory: https://www.google.com/
                  Source: hi.pak.14.dr, mr.pak.14.dr, ja.pak.14.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
                  Source: ur.pak.14.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
                  Source: ms.pak.14.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlB&antuanDiurus
                  Source: af.pak.14.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlBestuur
                  Source: vi.pak.14.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
                  Source: tr.pak.14.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
                  Source: 37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: 37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                  Source: 37A.exe, 00000006.00000003.1826578266.0000000003B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                  Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
                  Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
                  Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: 37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
                  Source: explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                  Source: Newtonsoft.Json.xml.14.drString found in binary or memory: https://www.newtonsoft.com/jsonschema

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B4BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,12_2_039B4BA2
                  Source: GamePall.exeProcess created: 48

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401538
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,0_2_00402FE9
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DE
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401496
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401543
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401565
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401579
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040157C
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401538
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,5_2_00402FE9
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_004014DE
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401496
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401543
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401565
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401579
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_0040157C
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A149012_2_004A1490
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004AD51512_2_004AD515
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004B477512_2_004B4775
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004ABE0912_2_004ABE09
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2C50.exe 42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: String function: 004A0310 appears 51 times
                  Source: JuHVfiAuLo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: JuHVfiAuLo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ifgewai.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                  Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Ionic.Zip.dll.14.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                  Source: GamePall.exe.14.dr, Program.csBase64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@256/114@0/10
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_0296F384 CreateToolhelp32Snapshot,Module32First,0_2_0296F384
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ifgewaiJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeMutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\37A.tmpJump to behavior
                  Source: JuHVfiAuLo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: 37A.exe, 00000006.00000003.1813211172.0000000003B05000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1814214767.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1800583621.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1815597097.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1800904646.0000000003AF6000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2633336272.0000000001299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: JuHVfiAuLo.exeReversingLabs: Detection: 39%
                  Source: JuHVfiAuLo.exeVirustotal: Detection: 37%
                  Source: unknownProcess created: C:\Users\user\Desktop\JuHVfiAuLo.exe "C:\Users\user\Desktop\JuHVfiAuLo.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\ifgewai C:\Users\user\AppData\Roaming\ifgewai
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\37A.exe C:\Users\user\AppData\Local\Temp\37A.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2C50.exe C:\Users\user\AppData\Local\Temp\2C50.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\56AD.exe C:\Users\user\AppData\Local\Temp\56AD.exe
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\37A.exe C:\Users\user\AppData\Local\Temp\37A.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2C50.exe C:\Users\user\AppData\Local\Temp\2C50.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\56AD.exe C:\Users\user\AppData\Local\Temp\56AD.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cdprt.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dxgi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mfplat.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtworkq.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbc source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.14.dr
                  Source: Binary string: D3DCompiler_43.pdb source: d3dcompiler_43.dll.14.dr
                  Source: Binary string: ntkrnlmp.pdbx source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbY source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000F.00000000.2985165110.00000000001C2000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000016.00000002.3206188987.0000000005332000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: 56AD.exe, 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.14.dr
                  Source: Binary string: D3DCompiler_43.pdb` source: d3dcompiler_43.dll.14.dr
                  Source: Binary string: ntkrnlmp.pdbb source: 56AD.exe, 0000000C.00000002.2826942661.000000000AAA0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp
                  Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000E.00000002.3578145645.00000000006DA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 56AD.exe, 0000000C.00000000.1932480311.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp, 56AD.exe, 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeUnpacked PE file: 0.2.JuHVfiAuLo.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Roaming\ifgewaiUnpacked PE file: 5.2.ifgewai.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                  Source: Newtonsoft.Json.dll.14.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_00445B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,12_2_00445B80
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpLp
                  Source: 37A.exe.2.drStatic PE information: section name: .vmpLp
                  Source: 37A.exe.2.drStatic PE information: section name: .vmpLp
                  Source: 37A.exe.2.drStatic PE information: section name: .vmpLp
                  Source: chrome_elf.dll.14.drStatic PE information: section name: .00cfg
                  Source: chrome_elf.dll.14.drStatic PE information: section name: .crthunk
                  Source: chrome_elf.dll.14.drStatic PE information: section name: CPADinfo
                  Source: chrome_elf.dll.14.drStatic PE information: section name: malloc_h
                  Source: libEGL.dll.14.drStatic PE information: section name: .00cfg
                  Source: libGLESv2.dll.14.drStatic PE information: section name: .00cfg
                  Source: libcef.dll.14.drStatic PE information: section name: .00cfg
                  Source: libcef.dll.14.drStatic PE information: section name: .rodata
                  Source: libcef.dll.14.drStatic PE information: section name: CPADinfo
                  Source: libcef.dll.14.drStatic PE information: section name: malloc_h
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_02781D38 push ecx; ret 0_2_02781D39
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_02781CF8 push 00000076h; iretd 0_2_02781CFA
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_02782EFD push B92A2F4Ch; retf 0_2_02782F02
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_02974DD6 push edx; ret 0_2_02974DD7
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_02976E54 push FFFFFFFBh; iretd 0_2_02976E6A
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401CD1 push ecx; ret 5_2_00401CD2
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00401C91 push 00000076h; iretd 5_2_00401C93
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_00402E96 push B92A2F4Ch; retf 5_2_00402E9B
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_02852EFD push B92A2F4Ch; retf 5_2_02852F02
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_02851CF8 push 00000076h; iretd 5_2_02851CFA
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_02851D38 push ecx; ret 5_2_02851D39
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_029A5586 push edx; ret 5_2_029A5587
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_029A7604 push FFFFFFFBh; iretd 5_2_029A761A
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A004B push ecx; ret 12_2_004A005E
                  Source: JuHVfiAuLo.exeStatic PE information: section name: .text entropy: 7.498035460167549
                  Source: ifgewai.2.drStatic PE information: section name: .text entropy: 7.498035460167549
                  Source: Ionic.Zip.dll.14.drStatic PE information: section name: .text entropy: 6.821349263259562
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeFile created: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\nsProcess.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeFile created: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\blowfish.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ifgewaiJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\37A.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].datJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeFile created: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\INetC.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2C50.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\56AD.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsyDD2E.tmp\liteFirewall.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ifgewaiJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Deletes itself after installation
                  Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\juhvfiaulo.exeJump to behavior
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ifgewai:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Checks if the current machine is a virtual machine (disk enumeration)
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_12-145531
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeAPI/Special instruction interceptor: Address: 7FFBCB7AE814
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD584
                  Source: C:\Users\user\AppData\Roaming\ifgewaiAPI/Special instruction interceptor: Address: 7FFBCB7AE814
                  Source: C:\Users\user\AppData\Roaming\ifgewaiAPI/Special instruction interceptor: Address: 7FFBCB7AD584
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeAPI/Special instruction interceptor: Address: 1366310
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeAPI/Special instruction interceptor: Address: 13B522F
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeAPI/Special instruction interceptor: Address: 12976F5
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeAPI/Special instruction interceptor: Address: 14A5B80
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeAPI/Special instruction interceptor: Address: 1374E89
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: JuHVfiAuLo.exe, ifgewaiBinary or memory string: ASWHOOK
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 22F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2480000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4480000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1010000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2830000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1000000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2970000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4970000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 47C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1300000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3000000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1580000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: BD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2650000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: DB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 7D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2300000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4300000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: CA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: DD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 50F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 10F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2BA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4E40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1330000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1240000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4CB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2EA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2DB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: FD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1050000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 50C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2BF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 860000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 24F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2310000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1440000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3060000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: F40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 730000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2440000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 22C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1040000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1120000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 459Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4595Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 987Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 359Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 888Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 864Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\nsProcess.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\blowfish.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\2C50.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\INetC.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyDD2E.tmp\liteFirewall.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                  Source: C:\Windows\explorer.exe TID: 5256Thread sleep time: -459500s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 7064Thread sleep time: -98700s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 2344Thread sleep time: -34600s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 2060Thread sleep time: -35900s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exe TID: 4152Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exe TID: 4152Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 2704Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6784Thread sleep count: 35 > 30
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004B24BD FindFirstFileExW,12_2_004B24BD
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B1000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,12_2_039B1000
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B4E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,12_2_039B4E27
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B1D3C FindFirstFileW,FindNextFileW,12_2_039B1D3C
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B40BA FindFirstFileW,FindNextFileW,12_2_039B40BA
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B3EFC FindFirstFileW,FindNextFileW,12_2_039B3EFC
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_039B2054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,12_2_039B2054
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                  Source: 37A.exe, 00000006.00000003.1814604438.0000000003B38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696494690p
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878628515.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1911871756.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853300930.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1853494573.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871675979.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1911955460.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873234514.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: GamePall.exe, 00000028.00000002.3406232740.0000000000C87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: GamePall.exe, 0000000F.00000002.3133485478.00000000009E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: explorer.exe, 00000002.00000000.1435797743.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: GamePall.exe, 00000013.00000002.3203197449.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                  Source: explorer.exe, 00000002.00000000.1435797743.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: 56AD.exe, 0000000C.00000003.2638489816.000000000A41B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004A4383
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_00445B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,12_2_00445B80
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_0278092B mov eax, dword ptr fs:[00000030h]0_2_0278092B
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_02780D90 mov eax, dword ptr fs:[00000030h]0_2_02780D90
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeCode function: 0_2_0296EC61 push dword ptr fs:[00000030h]0_2_0296EC61
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_02850D90 mov eax, dword ptr fs:[00000030h]5_2_02850D90
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_0285092B mov eax, dword ptr fs:[00000030h]5_2_0285092B
                  Source: C:\Users\user\AppData\Roaming\ifgewaiCode function: 5_2_0299F411 push dword ptr fs:[00000030h]5_2_0299F411
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004B5891 GetProcessHeap,12_2_004B5891
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A4383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004A4383
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A0495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004A0495
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A0622 SetUnhandledExceptionFilter,12_2_004A0622
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A06F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_004A06F0
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Benign windows process drops PE files
                  Source: C:\Windows\explorer.exeFile created: 56AD.exe.2.drJump to dropped file
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 141.8.192.126 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 185.68.16.7 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 2.185.214.11 80Jump to behavior
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeThread created: C:\Windows\explorer.exe EIP: B619D0Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiThread created: unknown EIP: 76C19D0Jump to behavior
                  LummaC encrypted strings found
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: pedestriankodwu.xyz
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: towerxxuytwi.xyz
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: ellaboratepwsz.xyz
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: penetratedpoopp.xyz
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: swellfrrgwwos.xyz
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: contintnetksows.shop
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: foodypannyjsud.shop
                  Source: 37A.exe, 00000006.00000002.1912521666.0000000000F4D000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: potterryisiw.shop
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\Desktop\JuHVfiAuLo.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ifgewaiSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) samsungbrowser/26.0 chrome/122.0.0.0 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: explorer.exe, 00000002.00000000.1434461103.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1435797743.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000002.00000000.1433170482.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                  Source: explorer.exe, 00000002.00000000.1433382361.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 00000002.00000000.1435797743.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A013C cpuid 12_2_004A013C
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: EnumSystemLocalesW,12_2_004B5051
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_004B50DC
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetLocaleInfoW,12_2_004AE096
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetLocaleInfoW,12_2_004B532F
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004B5458
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetLocaleInfoW,12_2_004B555E
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004B5634
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: EnumSystemLocalesW,12_2_004ADBC7
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,12_2_004B4CBF
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: EnumSystemLocalesW,12_2_004B4F6B
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: EnumSystemLocalesW,12_2_004B4FB6
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeCode function: 12_2_004A038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_004A038F
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: 37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871624978.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873234514.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871675979.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1872012539.0000000000C6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: Process Memory Space: 37A.exe PID: 2464, type: MEMORYSTR
                  Yara detected Poverty Stealer
                  Source: Yara matchFile source: 12.2.56AD.exe.39b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.1218f80.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.125e8a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.39b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.125e8a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.1218f80.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 56AD.exe PID: 4936, type: MEMORYSTR
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\ElectronCash\\wallets",
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: { "en": "cjelfplplebdjjenllpjcblmjkfcffne", "ez": "Jaxx Liberty" },
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: { "en": "aholpfdialjgjfhomihkjbmgjidlcdno", "ez": "ExodusWeb3" },
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Ethereum",
                  Source: 37A.exe, 00000006.00000003.1853300930.0000000000BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                  Source: 37A.exe, 00000006.00000003.1799666723.0000000000C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["keystore"],
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.jsonJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\56AD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\37A.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1389
                  Source: Yara matchFile source: 00000006.00000003.1853300930.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.1853494573.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 37A.exe PID: 2464, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: Process Memory Space: 37A.exe PID: 2464, type: MEMORYSTR
                  Yara detected Poverty Stealer
                  Source: Yara matchFile source: 12.2.56AD.exe.39b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.1218f80.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.125e8a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.39b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.125e8a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.56AD.exe.1218f80.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 56AD.exe PID: 4936, type: MEMORYSTR
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts11
                  Native API                  		1
                  Windows Service                  		1
                  Windows Service                  		111
                  Deobfuscate/Decode Files or Information                  		LSASS Memory23
                  File and Directory Discovery                  		Remote Desktop Protocol31
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		312
                  Process Injection                  		31
                  Obfuscated Files or Information                  		Security Account Manager135
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  Command and Scripting Interpreter                  		Login Hook1
                  Registry Run Keys / Startup Folder                  		12
                  Software Packing                  		NTDS651
                  Security Software Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts1
                  PowerShell                  		Network Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets241
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials3
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc Filesystem1
                  Remote System Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Hidden Files and Directories                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466598 Sample: JuHVfiAuLo.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 104 Multi AV Scanner detection for domain / URL 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 12 other signatures 2->110 12 JuHVfiAuLo.exe 2->12         started        15 ifgewai 2->15         started        process3 signatures4 140 Detected unpacking (changes PE section rights) 12->140 142 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->142 144 Maps a DLL or memory area into another process 12->144 146 Switches to a custom stack to bypass stack traces 12->146 17 explorer.exe 64 13 12->17 injected 148 Multi AV Scanner detection for dropped file 15->148 150 Checks if the current machine is a virtual machine (disk enumeration) 15->150 152 Creates a thread in another existing process (thread injection) 15->152 process5 dnsIp6 86 185.68.16.7 UKRAINE-ASUA Ukraine 17->86 88 2.185.214.11 TCIIR Iran (ISLAMIC Republic Of) 17->88 90 3 other IPs or domains 17->90 62 C:\Users\user\AppData\Roaming\ifgewai, PE32 17->62 dropped 64 C:\Users\user\AppData\Local\Temp\56AD.exe, PE32 17->64 dropped 66 C:\Users\user\AppData\Local\Temp\37A.exe, PE32 17->66 dropped 68 2 other malicious files 17->68 dropped 112 System process connects to network (likely due to code injection or exploit) 17->112 114 Benign windows process drops PE files 17->114 116 Deletes itself after installation 17->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->118 22 2C50.exe 3 35 17->22         started        26 37A.exe 17->26         started        29 56AD.exe 12 17->29         started        file7 signatures8 process9 dnsIp10 70 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->70 dropped 72 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->72 dropped 74 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->74 dropped 76 2 other files (none is malicious) 22->76 dropped 124 Antivirus detection for dropped file 22->124 126 Multi AV Scanner detection for dropped file 22->126 31 setup.exe 112 22->31         started        96 188.114.97.3 CLOUDFLARENETUS European Union 26->96 128 Query firmware table information (likely to detect VMs) 26->128 130 Machine Learning detection for dropped file 26->130 132 Found many strings related to Crypto-Wallets (likely being stolen) 26->132 138 3 other signatures 26->138 98 146.70.169.164 TENET-1ZA United Kingdom 29->98 100 104.192.141.1 AMAZON-02US United States 29->100 134 Found evasive API chain (may stop execution after checking mutex) 29->134 136 Tries to harvest and steal browser information (history, passwords, etc) 29->136 file11 signatures12 process13 file14 78 C:\Users\user\AppData\...\vulkan-1.dll, PE32 31->78 dropped 80 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 31->80 dropped 82 C:\Users\user\AppData\...\libGLESv2.dll, PE32 31->82 dropped 84 16 other files (13 malicious) 31->84 dropped 102 Antivirus detection for dropped file 31->102 35 GamePall.exe 31->35         started        signatures15 process16 dnsIp17 92 172.67.221.174 CLOUDFLARENETUS United States 35->92 120 Antivirus detection for dropped file 35->120 122 Machine Learning detection for dropped file 35->122 39 GamePall.exe 35->39         started        41 GamePall.exe 35->41         started        44 GamePall.exe 35->44         started        46 6 other processes 35->46 signatures18 process19 dnsIp20 48 GamePall.exe 39->48         started        50 GamePall.exe 39->50         started        52 GamePall.exe 39->52         started        54 9 other processes 39->54 94 1.1.1.1 CLOUDFLARENETUS Australia 41->94 process21 process22 56 GamePall.exe 48->56         started        58 GamePall.exe 48->58         started        60 GamePall.exe 50->60         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  JuHVfiAuLo.exe39%ReversingLabs
                  JuHVfiAuLo.exe38%VirustotalBrowse
                  JuHVfiAuLo.exe100%AviraHEUR/AGEN.1318160
                  JuHVfiAuLo.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Local\Temp\37A.exe100%AviraHEUR/AGEN.1313486
                  C:\Users\user\AppData\Local\Temp\2C50.exe100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%AviraHEUR/AGEN.1352426
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Local\Temp\37A.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\56AD.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Temp\2C50.exe21%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\37A.exe50%ReversingLabsWin32.Trojan.Smokeloader
                  C:\Users\user\AppData\Local\Temp\56AD.exe16%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\INetC.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\blowfish.dll5%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\nsProcess.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsyDD2E.tmp\liteFirewall.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe3%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll3%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\libEGL.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\libcef.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\log4net.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\ifgewai39%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://excel.office.com0%URL Reputationsafe
                  http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
                  http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                  https://android.notify.windows.com/iOS0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://powerpoint.office.comer0%Avira URL Cloudsafe
                  https://android.notify.windows.com/iOSA40%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=hiCtrl$10%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
                  https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                  https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                  https://foodypannyjsud.shop/w100%Avira URL Cloudmalware
                  https://support.google.com/chrome/answer/60988690%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.html0%Avira URL Cloudsafe
                  https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world0%Avira URL Cloudsafe
                  https://support.google.com/chrome/answer/60988690%VirustotalBrowse
                  https://api.msn.com:443/v1/news/Feed/Windows?0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%VirustotalBrowse
                  https://www.google.com/chrome/privacy/eula_text.html1%VirustotalBrowse
                  https://api.msn.com:443/v1/news/Feed/Windows?0%VirustotalBrowse
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  http://gebeus.ru/tmp/index.php100%Avira URL Cloudmalware
                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
                  https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-10%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  http://crbug.com/5102700%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=urCtrl$20%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  http://crbug.com/3780670%Avira URL Cloudsafe
                  http://crbug.com/5102700%VirustotalBrowse
                  http://gebeus.ru/tmp/index.php16%VirustotalBrowse
                  https://photos.google.com/settings?referrer=CHROME_NTP0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=trCtrl$10%Avira URL Cloudsafe
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%Avira URL Cloudsafe
                  http://crbug.com/3780670%VirustotalBrowse
                  https://photos.google.com/settings?referrer=CHROME_NTP0%VirustotalBrowse
                  https://passwords.google.com0%Avira URL Cloudsafe
                  http://cx5519.com/tmp/index.php100%Avira URL Cloudmalware
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
                  https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal0%Avira URL Cloudsafe
                  contintnetksows.shop100%Avira URL Cloudmalware
                  http://cx5519.com/tmp/index.php12%VirustotalBrowse
                  https://aui-cdn.atlassian.com/0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u0%VirustotalBrowse
                  http://crbug.com/4973010%Avira URL Cloudsafe
                  https://github.com/JamesNK/Newtonsoft.Json/issues/6520%Avira URL Cloudsafe
                  http://www.microsoft.c0%Avira URL Cloudsafe
                  https://aui-cdn.atlassian.com/0%VirustotalBrowse
                  https://passwords.google.com0%VirustotalBrowse
                  https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%Avira URL Cloudsafe
                  https://android.notify.windows.com/iOSd0%Avira URL Cloudsafe
                  http://bageyou.xyz0%Avira URL Cloudsafe
                  http://crbug.com/6421410%Avira URL Cloudsafe
                  https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%VirustotalBrowse
                  contintnetksows.shop16%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/J100%Avira URL Cloudmalware
                  https://github.com/JamesNK/Newtonsoft.Json/issues/6520%VirustotalBrowse
                  http://crbug.com/6421410%VirustotalBrowse
                  https://chrome.google.com/webstore?hl=afCtrl$10%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=jaCtrl$10%Avira URL Cloudsafe
                  https://android.notify.windows.com/iOSd0%VirustotalBrowse
                  http://evilos.cc/tmp/index.php100%Avira URL Cloudmalware
                  http://crbug.com/4973010%VirustotalBrowse
                  https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/pi_100%Avira URL Cloudmalware
                  http://bageyou.xyz0%VirustotalBrowse
                  https://www.google.com/chrome/privacy/eula_text.htmlB&antuanDiurus0%Avira URL Cloudsafe
                  https://bitbucket.org/0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/apin100%Avira URL Cloudmalware
                  http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                  https://support.google.com/chromebook?p=app_intent0%Avira URL Cloudsafe
                  http://crbug.com/7175010%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/apio100%Avira URL Cloudmalware
                  http://crbug.com/9577720%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/piV100%Avira URL Cloudmalware
                  http://crbug.com/8391890%Avira URL Cloudsafe
                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/apiw100%Avira URL Cloudmalware
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=mrCtrl$10%Avira URL Cloudsafe
                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.html&0%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.htmlT&r0%Avira URL Cloudsafe
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.0%Avira URL Cloudsafe
                  ellaboratepwsz.xyz100%Avira URL Cloudmalware
                  https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://gebeus.ru/tmp/index.phptrue
                  • 16%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://cx5519.com/tmp/index.phptrue
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  contintnetksows.shoptrue
                  • 16%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://evilos.cc/tmp/index.phptrue
                  • Avira URL Cloud: malware
                  		unknown
                  ellaboratepwsz.xyztrue
                  • Avira URL Cloud: malware
                  		unknown
                  swellfrrgwwos.xyztrue
                  • Avira URL Cloud: malware
                  		unknown
                  foodypannyjsud.shoptrue
                  • Avira URL Cloud: malware
                  		unknown
                  pedestriankodwu.xyztrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?uvi.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtab37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://powerpoint.office.comerexplorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://android.notify.windows.com/iOSA4explorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=hiCtrl$1hi.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?umr.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/w37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://support.google.com/chrome/answer/6098869tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlhi.pak.14.dr, mr.pak.14.dr, ja.pak.14.drfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.1435797743.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=ms&category=theme81https://myactivity.google.com/myactivity/?ums.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 00000014.00000002.3097190836.0000000005592000.00000002.00000001.01000000.00000011.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=af&category=theme81https://myactivity.google.com/myactivity/?uaf.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://excel.office.comexplorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/510270resources.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=urCtrl$2ur.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?uja.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/378067resources.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://photos.google.com/settings?referrer=CHROME_NTPtr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=trCtrl$1tr.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrltr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://passwords.google.comur.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aui-cdn.atlassian.com/56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/497301resources.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/JamesNK/Newtonsoft.Json/issues/652Newtonsoft.Json.xml.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microsoft.cexplorer.exe, 00000002.00000000.1435797743.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, af.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://android.notify.windows.com/iOSdexplorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://bageyou.xyzGamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/642141resources.pak.14.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?uur.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/J37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://chrome.google.com/webstore?hl=afCtrl$1af.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=jaCtrl$1ja.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/pi_37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlB&antuanDiurusms.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://bitbucket.org/56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/apin37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.google.com/chromebook?p=app_intenttr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/717501resources.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/957772resources.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/apio37A.exe, 00000006.00000002.1912240377.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1878333229.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1871396191.0000000000C83000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://foodypannyjsud.shop/piV37A.exe, 00000006.00000003.1878559703.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910888988.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000002.1912209776.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1873171538.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1910690894.0000000000C64000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://crbug.com/839189resources.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstoreresources.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/apiw37A.exe, 00000006.00000003.1853254880.0000000000C61000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.rootca1.amazontrust.com/rootca1.crl037A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.rootca1.amazontrust.com0:37A.exe, 00000006.00000003.1825260480.0000000003B1A000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000003.2648431183.000000000AB5F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=mrCtrl$1mr.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorError2C50.exe, 00000008.00000000.1867070648.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000E.00000003.2986001329.000000000073A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000E.00000000.2673100697.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.html&ur.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlT&rvi.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?uhi.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/37A.exe, 00000006.00000003.1800749745.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2682429151.000000000A161000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://xiexie.wf/22_551/huge.dat2C50.exe, 00000008.00000003.1871311133.0000000003070000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crbug.com/819404resources.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://outlook.comexplorer.exe, 00000002.00000000.1437648332.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br37A.exe, 00000006.00000003.1826683278.0000000003C15000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crbug.com/514696resources.pak.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee56AD.exe, 0000000C.00000002.2666707491.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, 56AD.exe, 0000000C.00000002.2666707491.00000000011ED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/apiN37A.exe, 00000006.00000003.1799870119.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, 37A.exe, 00000006.00000003.1799987736.0000000000C19000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrltr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, ms.pak.14.dr, af.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_Error2C50.exe, 00000008.00000000.1867070648.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 0000000E.00000003.2986001329.000000000073A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000E.00000000.2673100697.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000E.00000002.3410722418.000000000040A000.00000004.00000001.01000000.0000000D.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?utr.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://crbug.com/1446731resources.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://api.install-stat.debug.world/clients/installsGamePall.exe, 00000026.00000002.3396291727.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.cookielaw.org/56AD.exe, 0000000C.00000003.2448304219.0000000001220000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.xml.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000002.00000000.1437648332.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://chromewebstore.google.com/resources.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.google.com/chrome/a/answer/9122284tr.pak.14.dr, vi.pak.14.dr, hi.pak.14.dr, ur.pak.14.dr, mr.pak.14.dr, ja.pak.14.dr, af.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg37A.exe, 00000006.00000003.1827063278.0000000003AF7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/chrome/privacy/eula_text.htmlBestuuraf.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000002.00000000.1434593106.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/resources.pak.14.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://api.install-stat.debug.world/clients/activity=4GamePall.exe, 0000001E.00000002.3413359163.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 00000026.00000002.3396291727.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    1.1.1.1
                    		unknownAustralia
                    		13335CLOUDFLARENETUSfalse
                    104.192.141.1
                    		unknownUnited States
                    		16509AMAZON-02USfalse
                    188.114.97.3
                    		unknownEuropean Union
                    		13335CLOUDFLARENETUSfalse
                    141.8.192.126
                    		unknownRussian Federation
                    		35278SPRINTHOSTRUtrue
                    188.114.96.3
                    		unknownEuropean Union
                    		13335CLOUDFLARENETUStrue
                    172.67.221.174
                    		unknownUnited States
                    		13335CLOUDFLARENETUSfalse
                    185.68.16.7
                    		unknownUkraine
                    		200000UKRAINE-ASUAtrue
                    2.185.214.11
                    		unknownIran (ISLAMIC Republic Of)
                    		58224TCIIRtrue
                    146.70.169.164
                    		unknownUnited Kingdom
                    		2018TENET-1ZAtrue

                    Private

                    IP
                    127.0.0.127

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1466598
                    Start date and time:2024-07-03 07:50:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 16m 36s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:40
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Sample name:JuHVfiAuLo.exe
                    renamed because original name is a hash value
                    Original Sample Name:0c653f386efe0b014ffc681b49120706.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@256/114@0/10
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Connection to analysis system has been lost, crash info: Unknown
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Execution Graph export aborted for target 37A.exe, PID 2464 because there are no executed function
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtEnumerateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Skipping network analysis since amount of network traffic is too extensive

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:51:18API Interceptor131989x Sleep call for process: explorer.exe modified
                    01:51:39API Interceptor8x Sleep call for process: 37A.exe modified
                    01:53:41API Interceptor1x Sleep call for process: GamePall.exe modified
                    07:51:21Task SchedulerRun new task: Firefox Default Browser Agent B38C99FDB0471A1F path: C:\Users\user\AppData\Roaming\ifgewai
                    07:53:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                    07:53:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    1.1.1.1PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                    • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                    AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                    • 1.1.1.1/
                    INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                    • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                    Go.exeGet hashmaliciousUnknownBrowse
                    • 1.1.1.1/
                    104.192.141.1A662vmc5co.exeGet hashmaliciousUnknownBrowse
                    • bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
                    lahPWgosNP.exeGet hashmaliciousAmadeyBrowse
                    • bitbucket.org/alex222111/testproj/downloads/s7.exe
                    SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                    • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                    SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                    • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                    SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                    • bitbucket.org/!api/2.0/snippets
                    SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                    • bitbucket.org/!api/2.0/snippets
                    Paid invoice.ppaGet hashmaliciousAgentTeslaBrowse
                    • bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
                    PO#1487958_10.ppaGet hashmaliciousUnknownBrowse
                    • bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
                    Purchase Inquiry_pdf.ppaGet hashmaliciousAgentTeslaBrowse
                    • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                    Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                    • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                    188.114.97.3http://sp.26skins.com/steamstore/category/action_run_jump/?snr=1_1530_4__12Get hashmaliciousUnknownBrowse
                    • sp.26skins.com/favicon.ico
                    Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                    • www.oc7o0.top/2zff/?iHmHOtK=4L8xoD0W4Zo4sy88OPxzXkM4Et1OXrliZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7znic/DfJyEGJbg1Pv28u2ofuxZkWteJjYs=&L480=nFsp
                    30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/TbaYPT0S/download
                    nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                    • www.coinwab.com/efdt/
                    hkLFB22XxS.exeGet hashmaliciousFormBookBrowse
                    • www.cavetta.org.mt/yhnb/
                    QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • filetransfer.io/data-package/mJcm5Gfa/download
                    http://url.usb.m.mimecastprotect.com/s/SPnzCDwVznT7kyA0HkOsZj?domain=linkscan.ioGet hashmaliciousHTMLPhisherBrowse
                    • emmalee.sa.com/favicon.ico
                    file.exeGet hashmaliciousFormBookBrowse
                    • www.cavetta.org.mt/yhnb/
                    6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 000366cm.nyashka.top/phpflowergenerator.php
                    DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                    • www.coinwab.com/efdt/

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CLOUDFLARENETUSLXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.21.45.251
                    EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    http://differentia.ruGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                    • 172.64.152.241
                    roger.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                    • 104.21.55.70
                    CLOUDFLARENETUSLXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.21.45.251
                    EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    http://differentia.ruGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                    • 172.64.152.241
                    roger.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                    • 104.21.55.70
                    SPRINTHOSTRULXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    OBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 141.8.192.126
                    https://kawak.com.coGet hashmaliciousUnknownBrowse
                    • 185.251.91.91
                    S#U0435tup.exeGet hashmaliciousCopperShrimpBrowse
                    • 185.185.70.98
                    CLOUDFLARENETUSLXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.21.45.251
                    EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 172.67.221.174
                    http://differentia.ruGet hashmaliciousUnknownBrowse
                    • 1.1.1.1
                    Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                    • 172.64.152.241
                    roger.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    https://townsvilleucc.com.auGet hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                    • 104.21.55.70
                    AMAZON-02USxr2xnZhHkh.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                    • 15.229.32.8
                    LXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.192.141.1
                    EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 185.166.143.48
                    6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.192.141.1
                    watchdog.elfGet hashmaliciousMiraiBrowse
                    • 54.97.145.12
                    spc.elfGet hashmaliciousMiraiBrowse
                    • 54.103.155.145
                    watchdog.elfGet hashmaliciousMiraiBrowse
                    • 52.89.222.207
                    file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.192.141.1
                    https://emea.dcv.ms/xAUEwUn0yq&c=E,1,toHboUmwDMlhwr-wc7dBvpYkcIiHsLy6ICiYedy6zqFMHJPZP4VPyK8zV2e78vqw1ZiSYyf8djJ0Qg64xCBVUCvFvYwJhqpWb_urHJ65A88aoiyybtSIFaPo&typo=1Get hashmaliciousUnknownBrowse
                    • 52.222.236.94
                    SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    • 104.192.141.1

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].datLXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                      EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                        6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                          file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                            SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                              37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                OBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                  SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                      NhWAWEhCi7.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                        C:\Users\user\AppData\Local\Temp\2C50.exeLXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                          EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                            6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                              file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                  37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                    OBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                      SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                        file.exeGet hashmaliciousSmokeLoaderBrowse
                                                          setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, StealcBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\huge[1].dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):107232830
                                                            Entropy (8bit):7.999946456161068
                                                            Encrypted:true
                                                            SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                            MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                            SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                            SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                            SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Joe Sandbox View:
                                                            • Filename: LXbM8RbhLa.exe, Detection: malicious, Browse
                                                            • Filename: EiPVv5yELP.exe, Detection: malicious, Browse
                                                            • Filename: 6IMo1kM9CC.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe, Detection: malicious, Browse
                                                            • Filename: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe, Detection: malicious, Browse
                                                            • Filename: OBbrO5rwew.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: NhWAWEhCi7.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\2C50.exe

                                                            Download File
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):293869
                                                            Entropy (8bit):5.61569579822855
                                                            Encrypted:false
                                                            SSDEEP:3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
                                                            MD5:60172CA946DE57C3529E9F05CC502870
                                                            SHA1:DE8F59D6973A5811BB10A9A4410801FA63BC8B56
                                                            SHA-256:42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                                                            SHA-512:15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            Joe Sandbox View:
                                                            • Filename: LXbM8RbhLa.exe, Detection: malicious, Browse
                                                            • Filename: EiPVv5yELP.exe, Detection: malicious, Browse
                                                            • Filename: 6IMo1kM9CC.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe, Detection: malicious, Browse
                                                            • Filename: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe, Detection: malicious, Browse
                                                            • Filename: OBbrO5rwew.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: setup.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\37A.exe

                                                            Download File
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6642176
                                                            Entropy (8bit):7.866419732571782
                                                            Encrypted:false
                                                            SSDEEP:98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
                                                            MD5:BD2EAC64CBDED877608468D86786594A
                                                            SHA1:778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
                                                            SHA-256:CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                                                            SHA-512:3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\56AD.exe

                                                            Download File
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:modified
                                                            Size (bytes):578048
                                                            Entropy (8bit):6.297510031778876
                                                            Encrypted:false
                                                            SSDEEP:12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
                                                            MD5:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                            SHA1:7CC975D9FF785E269163897907D0B9B3CEE29956
                                                            SHA-256:544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
                                                            SHA-512:D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 16%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\INetC.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):22016
                                                            Entropy (8bit):5.668346578219837
                                                            Encrypted:false
                                                            SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                            MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                            SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                            SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                            SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\blowfish.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):22528
                                                            Entropy (8bit):6.674611218414922
                                                            Encrypted:false
                                                            SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                            MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                            SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                            SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                            SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsm2A3E.tmp\nsProcess.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4608
                                                            Entropy (8bit):4.666004851298707
                                                            Encrypted:false
                                                            SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                            MD5:FAA7F034B38E729A983965C04CC70FC1
                                                            SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                            SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                            SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsr66D4.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):358363995
                                                            Entropy (8bit):6.972150585647623
                                                            Encrypted:false
                                                            SSDEEP:3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
                                                            MD5:5F9D89B40243E83C0B48206CE4EB77D1
                                                            SHA1:477A019AB11E5793168B3E41D83B80A8AC8F1D43
                                                            SHA-256:2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
                                                            SHA-512:5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
                                                            Malicious:false
                                                            Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsyDD2E.tmp\liteFirewall.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):82944
                                                            Entropy (8bit):6.389604568119155
                                                            Encrypted:false
                                                            SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                            MD5:165E1EF5C79475E8C33D19A870E672D4
                                                            SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                            SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                            SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\setup.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):107232830
                                                            Entropy (8bit):7.999946456161068
                                                            Encrypted:true
                                                            SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                            MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                            SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                            SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                            SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.01057775872642915
                                                            Encrypted:false
                                                            SSDEEP:3:MsFl:/F
                                                            MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                            SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                            SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                            SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                            Malicious:false
                                                            Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012096502606932763
                                                            Encrypted:false
                                                            SSDEEP:3:MsEllllkXl:/M/6
                                                            MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                            SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                            SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                            SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.011852361981932763
                                                            Encrypted:false
                                                            SSDEEP:3:MsHlDll:/H
                                                            MD5:0962291D6D367570BEE5454721C17E11
                                                            SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                            SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                            SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012340643231932763
                                                            Encrypted:false
                                                            SSDEEP:3:MsGl3ll:/y
                                                            MD5:41876349CB12D6DB992F1309F22DF3F0
                                                            SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                            SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                            SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                            Category:dropped
                                                            Size (bytes):262512
                                                            Entropy (8bit):9.553120663130604E-4
                                                            Encrypted:false
                                                            SSDEEP:3:LsNlJr:Ls3
                                                            MD5:E3439DD58AC32A58C861C5767AC4E553
                                                            SHA1:F036EF21ABA531642C3478338C513DA94BCE6365
                                                            SHA-256:615F78EC02828BBC5D598A16FF73FAE3E4410EE419450A0604E55A54CC7C4B1B
                                                            SHA-512:09831CED663FD3CFBE1795FD7B75255E2AE4464AC9CDDE07B1AA23DF6187D12DACC3F4CE9E91C0FC3F63EB6C5A3FAD139792D8941D5D122A8E2A602F17C2993F
                                                            Malicious:false
                                                            Preview:..........................................(..z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\Del.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):4.622398838808078
                                                            Encrypted:false
                                                            SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                                                            MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                            SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                            SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                            SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 7%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.01057775872642915
                                                            Encrypted:false
                                                            SSDEEP:3:MsFl:/F
                                                            MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                            SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                            SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                            SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                            Malicious:false
                                                            Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012096502606932763
                                                            Encrypted:false
                                                            SSDEEP:3:MsEllllkXl:/M/6
                                                            MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                            SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                            SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                            SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.011852361981932763
                                                            Encrypted:false
                                                            SSDEEP:3:MsHlDll:/H
                                                            MD5:0962291D6D367570BEE5454721C17E11
                                                            SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                            SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                            SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8192
                                                            Entropy (8bit):0.012340643231932763
                                                            Encrypted:false
                                                            SSDEEP:3:MsGl3ll:/y
                                                            MD5:41876349CB12D6DB992F1309F22DF3F0
                                                            SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                            SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                            SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                            Category:dropped
                                                            Size (bytes):262512
                                                            Entropy (8bit):9.553120663130604E-4
                                                            Encrypted:false
                                                            SSDEEP:3:LsNlrilt:Ls3
                                                            MD5:3775D79C1C13616630A9FADAA8D1EA50
                                                            SHA1:EFA8137E1ECE79CEA483BB7AD9B1C6ACFAB2790E
                                                            SHA-256:92B4E021893EBB8E9A912ACDD799E6D37E71377D5F219604E5767FBDDC7AE5BC
                                                            SHA-512:46435BC65517B6F5858B6CE171AB08970B698920F42C7EF581E278497D1F9DBF0A410C23DD3D2FADF3D69F01D8AE73EF0F74B801762944106D4C4B726EAAA82B
                                                            Malicious:false
                                                            Preview:.........................................C$..z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):296448
                                                            Entropy (8bit):5.660420770467009
                                                            Encrypted:false
                                                            SSDEEP:3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
                                                            MD5:7A3502C1119795D35569535DE243B6FE
                                                            SHA1:DA0D16BC66614C7D273C47F321C5EE0652FB5575
                                                            SHA-256:B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
                                                            SHA-512:258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                            C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):462336
                                                            Entropy (8bit):6.803831500359682
                                                            Encrypted:false
                                                            SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                                                            MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                            SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                            SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                            SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                            C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):574376
                                                            Entropy (8bit):5.8881470355864725
                                                            Encrypted:false
                                                            SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                                                            MD5:8F81C9520104B730C25D90A9DD511148
                                                            SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                            SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                            SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                            C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):561424
                                                            Entropy (8bit):4.606896607960262
                                                            Encrypted:false
                                                            SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                                                            MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                            SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                            SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                            SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                            Malicious:false
                                                            Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                            C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Category:dropped
                                                            Size (bytes):215862
                                                            Entropy (8bit):5.849338245796311
                                                            Encrypted:false
                                                            SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
                                                            MD5:9D21A25AA1B5985A2C8CBCE7F7007295
                                                            SHA1:86EBF56352B4DBB831FAE0CCA180B4ADD951240D
                                                            SHA-256:E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
                                                            SHA-512:EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):875520
                                                            Entropy (8bit):5.621956468920589
                                                            Encrypted:false
                                                            SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                                                            MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                            SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                            SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                            SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                            C:\Users\user\AppData\Roaming\GamePall\cef.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1946739
                                                            Entropy (8bit):7.989700491058983
                                                            Encrypted:false
                                                            SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                                                            MD5:96AD47D78A70B33158961585D9154ECC
                                                            SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                            SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                            SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                            Malicious:false
                                                            Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):214119
                                                            Entropy (8bit):7.955451054538398
                                                            Encrypted:false
                                                            SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                                                            MD5:391F512173ECEC14EB5CE31299858DE1
                                                            SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                            SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                            SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                            Malicious:false
                                                            Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):290001
                                                            Entropy (8bit):7.9670215100557735
                                                            Encrypted:false
                                                            SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                                                            MD5:BF59A047984EAFC79E40B0011ED4116D
                                                            SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                            SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                            SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                            Malicious:false
                                                            Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1305142
                                                            Entropy (8bit):7.99463351416358
                                                            Encrypted:true
                                                            SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                                                            MD5:20DDA02AF522924E45223D7262D0E1ED
                                                            SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                            SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                            SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                            Malicious:false
                                                            Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                            C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:current ar archive
                                                            Category:dropped
                                                            Size (bytes):87182312
                                                            Entropy (8bit):5.477474753748716
                                                            Encrypted:false
                                                            SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                                                            MD5:FFD456A85E341D430AFA0C07C1068538
                                                            SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                            SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                            SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                            Malicious:false
                                                            Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                            C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):656926
                                                            Entropy (8bit):7.964275415195004
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3404DD2B0E63D9418F755430336C7164
                                                            SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                            SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                            SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                            Malicious:false
                                                            Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                            C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1017158
                                                            Entropy (8bit):7.951759131641406
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3FBF52922588A52245DC927BCC36DBB3
                                                            SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                            SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                            SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                            Malicious:false
                                                            Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                            C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1174528
                                                            Entropy (8bit):6.475826085865088
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                            SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                            SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                            SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2106216
                                                            Entropy (8bit):6.4563314852745375
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                            SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                            SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                            SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4127200
                                                            Entropy (8bit):6.577665867424953
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                            SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                            SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                            SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2205743
                                                            Entropy (8bit):7.923318114432295
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                            SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                            SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                            SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                            Malicious:false
                                                            Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                            C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):10717392
                                                            Entropy (8bit):6.282534560973548
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                            SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                            SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                            SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                            Malicious:false
                                                            Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                            C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):377856
                                                            Entropy (8bit):6.602916265542373
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                            SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                            SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                            SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6635008
                                                            Entropy (8bit):6.832077162910607
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:63988D35D7AB96823B5403BE3C110F7F
                                                            SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                            SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                            SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):176517632
                                                            Entropy (8bit):7.025874989859836
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                            SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                            SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                            SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:current ar archive
                                                            Category:dropped
                                                            Size (bytes):40258
                                                            Entropy (8bit):4.547436244061504
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                            SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                            SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                            SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                            Malicious:false
                                                            Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):470498
                                                            Entropy (8bit):5.409080468053459
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                            SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                            SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                            SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                            Malicious:false
                                                            Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):763010
                                                            Entropy (8bit):4.909167677028143
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                            SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                            SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                            SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                            Malicious:false
                                                            Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):838413
                                                            Entropy (8bit):4.920788245468804
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C70B71B05A8CA5B8243C951B96D67453
                                                            SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                            SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                            SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):869469
                                                            Entropy (8bit):4.677916300869337
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:12A9400F521EC1D3975257B2061F5790
                                                            SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                            SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                            SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                            Malicious:false
                                                            Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1118348
                                                            Entropy (8bit):4.2989199535081895
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:89A24AF99D5592AB8964B701F13E1706
                                                            SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                            SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                            SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                            Malicious:false
                                                            Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):537139
                                                            Entropy (8bit):5.397688491907634
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                            SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                            SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                            SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                            Malicious:false
                                                            Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):545011
                                                            Entropy (8bit):5.844949195905198
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                            SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                            SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                            SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                            Malicious:false
                                                            Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):496165
                                                            Entropy (8bit):5.446061543230436
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                            SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                            SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                            SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                            Malicious:false
                                                            Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):534726
                                                            Entropy (8bit):5.49306456316532
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:49CA708EBB7A4913C36F7461F094886B
                                                            SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                            SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                            SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                            Malicious:false
                                                            Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):950999
                                                            Entropy (8bit):4.76377388695373
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                            SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                            SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                            SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                            Malicious:false
                                                            Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):430665
                                                            Entropy (8bit):5.517246002357965
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                            SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                            SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                            SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                            Malicious:false
                                                            Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):434598
                                                            Entropy (8bit):5.509004494756697
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                            SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                            SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                            SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):524728
                                                            Entropy (8bit):5.377464936206393
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                            SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                            SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                            SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                            Malicious:false
                                                            Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):523181
                                                            Entropy (8bit):5.356449408331279
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3D1720FE1D801D54420438A54CBE1547
                                                            SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                            SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                            SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                            Malicious:false
                                                            Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):475733
                                                            Entropy (8bit):5.456553040437113
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                            SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                            SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                            SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                            Malicious:false
                                                            Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):773397
                                                            Entropy (8bit):5.04618630633187
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C998140F7970B81117B073A87430A748
                                                            SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                            SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                            SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):483378
                                                            Entropy (8bit):5.428549632880935
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                            SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                            SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                            SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):546749
                                                            Entropy (8bit):5.197094281578282
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                            SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                            SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                            SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                            Malicious:false
                                                            Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):568277
                                                            Entropy (8bit):5.380723339968972
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                            SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                            SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                            SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                            Malicious:false
                                                            Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1103776
                                                            Entropy (8bit):4.336526106451521
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:44F704DB17F0203FA5195DC4572C946C
                                                            SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                            SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                            SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                            Malicious:false
                                                            Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):681555
                                                            Entropy (8bit):4.658620623200349
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E75086A24ECAA25CD18D547AB041C65A
                                                            SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                            SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                            SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1167065
                                                            Entropy (8bit):4.308980564019689
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                            SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                            SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                            SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):526575
                                                            Entropy (8bit):5.518614920030561
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                            SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                            SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                            SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                            Malicious:false
                                                            Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):566819
                                                            Entropy (8bit):5.6387082185760935
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                            SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                            SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                            SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):466959
                                                            Entropy (8bit):5.379636778781472
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1466C484179769A2263542E943742E59
                                                            SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                            SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                            SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                            Malicious:false
                                                            Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):522800
                                                            Entropy (8bit):5.284113957149261
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                            SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                            SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                            SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                            Malicious:false
                                                            Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):634636
                                                            Entropy (8bit):5.718480148171718
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                            SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                            SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                            SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                            Malicious:false
                                                            Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1256908
                                                            Entropy (8bit):4.247594585839553
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                            SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                            SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                            SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                            Malicious:false
                                                            Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):532715
                                                            Entropy (8bit):6.0824169765918725
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                            SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                            SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                            SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                            Malicious:false
                                                            Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):573015
                                                            Entropy (8bit):5.63016577624216
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8745B87D09D9ECC1112C60F5DD934034
                                                            SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                            SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                            SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                            Malicious:false
                                                            Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):570683
                                                            Entropy (8bit):5.624052036286866
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                            SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                            SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                            SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                            Malicious:false
                                                            Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1307271
                                                            Entropy (8bit):4.279854356980692
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:309E068B4E15157486D095301370B234
                                                            SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                            SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                            SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                            Malicious:false
                                                            Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1075591
                                                            Entropy (8bit):4.313573412022857
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                            SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                            SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                            SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):489457
                                                            Entropy (8bit):5.250540323172458
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A1253E64F8910162B15B56883798E3C0
                                                            SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                            SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                            SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                            Malicious:false
                                                            Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):476208
                                                            Entropy (8bit):5.4272499712806965
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                            SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                            SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                            SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                            Malicious:false
                                                            Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):491139
                                                            Entropy (8bit):5.362822162782947
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:C8378A81039DB6943F97286CC8C629F1
                                                            SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                            SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                            SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                            Malicious:false
                                                            Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):550453
                                                            Entropy (8bit):5.757462673735937
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                            SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                            SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                            SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                            Malicious:false
                                                            Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):516256
                                                            Entropy (8bit):5.426294949123783
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3BA426E91C34E1C33F13912974835F7D
                                                            SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                            SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                            SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                            Malicious:false
                                                            Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):518861
                                                            Entropy (8bit):5.4029194034596575
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                            SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                            SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                            SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                            Malicious:false
                                                            Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):537125
                                                            Entropy (8bit):5.4566742297332596
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                            SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                            SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                            SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                            Malicious:false
                                                            Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):878725
                                                            Entropy (8bit):4.848685093578222
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3A3D0D865A78399306924D3ED058274E
                                                            SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                            SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                            SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                            Malicious:false
                                                            Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):553886
                                                            Entropy (8bit):5.812150703289796
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A9656846F66A36BB399B65F7B702B47D
                                                            SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                            SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                            SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                            Malicious:false
                                                            Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):532410
                                                            Entropy (8bit):5.486224954097277
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                            SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                            SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                            SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                            Malicious:false
                                                            Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):818089
                                                            Entropy (8bit):4.779985663253385
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                            SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                            SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                            SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                            Malicious:false
                                                            Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):479512
                                                            Entropy (8bit):5.541069475898216
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:09592A0D35100CD9707C278C9FFC7618
                                                            SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                            SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                            SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                            Malicious:false
                                                            Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):504856
                                                            Entropy (8bit):5.34516819438501
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:9E038A0D222055FED6F1883992DCA5A8
                                                            SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                            SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                            SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                            Malicious:false
                                                            Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1298313
                                                            Entropy (8bit):4.058495187693592
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                            SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                            SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                            SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                            Malicious:false
                                                            Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1199612
                                                            Entropy (8bit):4.314031920337284
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:98714389748A98ECC536CD2F17859BDF
                                                            SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                            SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                            SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                            Malicious:false
                                                            Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1008989
                                                            Entropy (8bit):4.356501290091745
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:56F29DE3465795E781A52FCF736BBE08
                                                            SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                            SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                            SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                            Malicious:false
                                                            Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):515329
                                                            Entropy (8bit):5.616482888977033
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:46CA9EE922C3C175DE466066F40B29CE
                                                            SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                            SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                            SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                            Malicious:false
                                                            Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):876131
                                                            Entropy (8bit):4.88404350774067
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:1365ABDD1EFB44720EA3975E4A472530
                                                            SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                            SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                            SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):765853
                                                            Entropy (8bit):5.17061834928747
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                            SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                            SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                            SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                            Malicious:false
                                                            Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):609259
                                                            Entropy (8bit):5.796202390024141
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                            SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                            SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                            SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                            Malicious:false
                                                            Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):441207
                                                            Entropy (8bit):6.685712707138377
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                            SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                            SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                            SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                            Malicious:false
                                                            Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                            C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):439630
                                                            Entropy (8bit):6.6906570508767995
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BB7C995F257B9125457381BB01856D72
                                                            SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                            SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                            SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                            Malicious:false
                                                            Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                            C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):275968
                                                            Entropy (8bit):5.778490068583466
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                            SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                            SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                            SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                            C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1547797
                                                            Entropy (8bit):4.370092880615517
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                            SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                            SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                            SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                            Malicious:false
                                                            Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                            C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):342741
                                                            Entropy (8bit):5.496697631795104
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                            SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                            SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                            SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                            Malicious:false
                                                            Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                            C:\Users\user\AppData\Roaming\GamePall\resources.pak

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):8226870
                                                            Entropy (8bit):7.996842728494533
                                                            Encrypted:true
                                                            SSDEEP:
                                                            MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                            SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                            SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                            SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                            Malicious:false
                                                            Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                            C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):276319
                                                            Entropy (8bit):4.242318669799302
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8234983533FA47D2A1D7710FF8274299
                                                            SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                            SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                            SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                            Malicious:false
                                                            Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\start.bat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.8731406795131327
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:2C66F3C2190A84FAFD4449DAF6440EAC
                                                            SHA1:7B9E4C94329FE26C34E63AB8336227FD5EB553E9
                                                            SHA-256:58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
                                                            SHA-512:62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
                                                            Malicious:false
                                                            Preview:start GamePall.exe OuWe5kl

                                                            C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                            Category:dropped
                                                            Size (bytes):2059776
                                                            Entropy (8bit):4.067542396670122
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                            SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                            SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                            SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                            Malicious:false
                                                            Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):346624
                                                            Entropy (8bit):6.54104466243173
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                            SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                            SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                            SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2445312
                                                            Entropy (8bit):6.750207745422387
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:334C3157E63A34B22CCE25A44A04835F
                                                            SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                            SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                            SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):631017
                                                            Entropy (8bit):5.144793130466209
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                            SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                            SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                            SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                            Malicious:false
                                                            Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4400640
                                                            Entropy (8bit):6.667314807988382
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7F913E31D00082338F073EF60D67B335
                                                            SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                            SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                            SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):106
                                                            Entropy (8bit):4.724752649036734
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                            SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                            SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                            SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                            Malicious:false
                                                            Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                            C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):826368
                                                            Entropy (8bit):6.78646032943732
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A031EB19C61942A26EF74500AD4B42DF
                                                            SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                            SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                            SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):211456
                                                            Entropy (8bit):6.566524833521835
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                            SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                            SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                            SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\ifgewai

                                                            Download File
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):166912
                                                            Entropy (8bit):6.620919469365027
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0C653F386EFE0B014FFC681B49120706
                                                            SHA1:DD7DDEC0BAE7270469FA6CFB9D3D0B7F0C170B54
                                                            SHA-256:A6C2A7FFB68B797967AD979E51A1330E9F16223E4F5DC8500B0A58741176F83C
                                                            SHA-512:8323EC5EA07F3C14E63D4AD22106FF71064CB6AF9C6FA9AAF50347A5EF69D6DC4618317432CEAFC8F05163E81F681EB8FB0DC62BC637909B221372837BBF3523
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........t.....j.......t.......q.....Rich....................PE..L.....Zd.................l....0...................@..........................`1.....1h.........................................P.....0.................................................................................x............................text....j.......l.................. ..`.rdata..H ......."...p..............@..@.data...H...........................@....rsrc.........0.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\ifgewai:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\explorer.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):6.620919469365027
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:JuHVfiAuLo.exe
                                                            File size:166'912 bytes
                                                            MD5:0c653f386efe0b014ffc681b49120706
                                                            SHA1:dd7ddec0bae7270469fa6cfb9d3d0b7f0c170b54
                                                            SHA256:a6c2a7ffb68b797967ad979e51a1330e9f16223e4f5dc8500b0a58741176f83c
                                                            SHA512:8323ec5ea07f3c14e63d4ad22106ff71064cb6af9c6fa9aaf50347a5ef69d6dc4618317432ceafc8f05163e81f681eb8fb0dc62bc637909b221372837bbf3523
                                                            SSDEEP:3072:pW5NLXxnGu0jM5AJs7a8nInHhPaH5RzQkq1KuU3:c5NLhnGu0Q5ci12+5L7
                                                            TLSH:4BF35B607AF59036F3F79A742978A6D42F3BB8F37A31858E2650224E1D72AC18D71713
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................d.......u.......c.x...?"..........t.....j.......t.......q.....Rich....................PE..L.....Zd...........

                                                            File Icon

                                                            Icon Hash:cb97334d5555599a

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x401908
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x645AEEBD [Wed May 10 01:09:17 2023 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:0
                                                            File Version Major:5
                                                            File Version Minor:0
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:0
                                                            Import Hash:9d25817cccafbd9c57dfa5bcc3f6ce9c

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007F6194E63C95h
                                                            jmp 00007F6194E5FF5Eh
                                                            mov edi, edi
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 00000328h
                                                            mov dword ptr [0041C918h], eax
                                                            mov dword ptr [0041C914h], ecx
                                                            mov dword ptr [0041C910h], edx
                                                            mov dword ptr [0041C90Ch], ebx
                                                            mov dword ptr [0041C908h], esi
                                                            mov dword ptr [0041C904h], edi
                                                            mov word ptr [0041C930h], ss
                                                            mov word ptr [0041C924h], cs
                                                            mov word ptr [0041C900h], ds
                                                            mov word ptr [0041C8FCh], es
                                                            mov word ptr [0041C8F8h], fs
                                                            mov word ptr [0041C8F4h], gs
                                                            pushfd
                                                            pop dword ptr [0041C928h]
                                                            mov eax, dword ptr [ebp+00h]
                                                            mov dword ptr [0041C91Ch], eax
                                                            mov eax, dword ptr [ebp+04h]
                                                            mov dword ptr [0041C920h], eax
                                                            lea eax, dword ptr [ebp+08h]
                                                            mov dword ptr [0041C92Ch], eax
                                                            mov eax, dword ptr [ebp-00000320h]
                                                            mov dword ptr [0041C868h], 00010001h
                                                            mov eax, dword ptr [0041C920h]
                                                            mov dword ptr [0041C81Ch], eax
                                                            mov dword ptr [0041C810h], C0000409h
                                                            mov dword ptr [0041C814h], 00000001h
                                                            mov eax, dword ptr [0041B004h]
                                                            mov dword ptr [ebp-00000328h], eax
                                                            mov eax, dword ptr [0041B008h]
                                                            mov dword ptr [ebp-00000324h], eax
                                                            call dword ptr [000000A4h]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [C++] VS2008 build 21022
                                                            • [ASM] VS2008 build 21022
                                                            • [ C ] VS2008 build 21022
                                                            • [IMP] VS2005 build 50727
                                                            • [RES] VS2008 build 21022
                                                            • [LNK] VS2008 build 21022

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x197ec0x50.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x23080000xdbe8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x180000x178.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x16aa20x16c00cba019b1ae96a53e66f2687697c70214False0.8027021806318682data7.498035460167549IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x180000x20480x2200abc5dba0acbb32644bceb2a1f83d5363False0.349609375data5.37696087773953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x1b0000x22ec5480x1e00a1b724b12c237806518b885344c1a4b7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x23080000xdbe80xdc00214aac559655c9cfb1da3630ad9c4e0cFalse0.5245738636363636data5.199709540419584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            NUSUTUMA0x230eed80x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6277013752455796
                                                            RT_CURSOR0x230f2d80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                                            RT_ICON0x23086a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6124733475479744
                                                            RT_ICON0x23095480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6922382671480144
                                                            RT_ICON0x2309df00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7523041474654378
                                                            RT_ICON0x230a4b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7976878612716763
                                                            RT_ICON0x230aa200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5952282157676348
                                                            RT_ICON0x230cfc80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.7286585365853658
                                                            RT_ICON0x230e0700x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.7368852459016394
                                                            RT_ICON0x230e9f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8838652482269503
                                                            RT_STRING0x230f5d00xaadata0.611764705882353
                                                            RT_STRING0x230f6800x6edata0.6
                                                            RT_STRING0x230f6f00x6b2data0.4305717619603267
                                                            RT_STRING0x230fda80x688data0.4342105263157895
                                                            RT_STRING0x23104300x6a4data0.42764705882352944
                                                            RT_STRING0x2310ad80x202data0.5019455252918288
                                                            RT_STRING0x2310ce00x6a4data0.42705882352941177
                                                            RT_STRING0x23113880x6d8data0.4297945205479452
                                                            RT_STRING0x2311a600x7e0data0.42162698412698413
                                                            RT_STRING0x23122400x71adata0.42684268426842686
                                                            RT_STRING0x23129600x698data0.4277251184834123
                                                            RT_STRING0x2312ff80x798data0.4202674897119342
                                                            RT_STRING0x23137900x6dcdata0.4299544419134396
                                                            RT_STRING0x2313e700x82cdata0.41634799235181646
                                                            RT_STRING0x23146a00x672data0.44
                                                            RT_STRING0x2314d180x752data0.4247598719316969
                                                            RT_STRING0x23154700x720data0.42598684210526316
                                                            RT_STRING0x2315b900x52data0.6585365853658537
                                                            RT_GROUP_CURSOR0x230f4080x14data1.15
                                                            RT_GROUP_ICON0x230ee600x76dataTurkishTurkey0.6610169491525424
                                                            RT_VERSION0x230f4200x1b0data0.5995370370370371

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllZombifyActCtx, CreateJobObjectW, GetModuleHandleExW, SetVolumeMountPointW, SleepEx, GetModuleHandleW, GetTickCount, GetConsoleAliasesA, ReadConsoleOutputA, GlobalAlloc, GetConsoleAliasExesLengthW, lstrcpynW, WriteConsoleW, OpenJobObjectA, SetLastError, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, SetFileApisToANSI, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, GetModuleFileNameW, GetComputerNameA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, GetLastError, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
                                                            GDI32.dllGetBoundsRect
                                                            ole32.dllCoTaskMemRealloc

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            TurkishTurkey

                                                            Network Behavior

                                                            Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:01:50:57
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\Desktop\JuHVfiAuLo.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\JuHVfiAuLo.exe"
                                                            Imagebase:0x400000
                                                            File size:166'912 bytes
                                                            MD5 hash:0C653F386EFE0B014FFC681B49120706
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1447641178.00000000028D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1447603831.00000000028B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:01:51:02
                                                            Start date:03/07/2024
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0x7ff62d7d0000
                                                            File size:5'141'208 bytes
                                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:5
                                                            Start time:01:51:21
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\ifgewai
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\ifgewai
                                                            Imagebase:0x400000
                                                            File size:166'912 bytes
                                                            MD5 hash:0C653F386EFE0B014FFC681B49120706
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1675035476.0000000004371000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1674811450.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                            Antivirus matches:
                                                            • Detection: 39%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:01:51:36
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\37A.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Local\Temp\37A.exe
                                                            Imagebase:0xf10000
                                                            File size:6'642'176 bytes
                                                            MD5 hash:BD2EAC64CBDED877608468D86786594A
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.1853300930.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.1853494573.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 50%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:01:51:46
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Local\Temp\2C50.exe
                                                            Imagebase:0x400000
                                                            File size:293'869 bytes
                                                            MD5 hash:60172CA946DE57C3529E9F05CC502870
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 21%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:12
                                                            Start time:01:51:52
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\56AD.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Local\Temp\56AD.exe
                                                            Imagebase:0x440000
                                                            File size:578'048 bytes
                                                            MD5 hash:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 0000000C.00000002.2666707491.000000000120D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 16%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:01:53:06
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                            Imagebase:0x400000
                                                            File size:107'232'830 bytes
                                                            MD5 hash:FF2293FBFF53F4BD2BFF91780FABFD60
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 3%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:01:53:37
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Imagebase:0x1c0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 3%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:01:53:41
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3420 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                            Imagebase:0x690000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:01:53:42
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3536 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                            Imagebase:0x7a0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:01:53:42
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3576 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                            Imagebase:0x5e0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:01:53:42
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903769137 --mojo-platform-channel-handle=3936 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                            Imagebase:0xcd0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:01:53:42
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x450000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:22
                                                            Start time:01:53:42
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719980718149919 --launch-time-ticks=5903928806 --mojo-platform-channel-handle=4104 --field-trial-handle=3424,i,8514718793866893320,15299251401448294970,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                            Imagebase:0x4a0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:01:53:42
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x70000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:01:53:43
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x630000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:01:53:43
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x2b0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:01:53:45
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xdd0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:27
                                                            Start time:01:53:45
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xac0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:28
                                                            Start time:01:53:45
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xc60000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:01:53:46
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x970000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:30
                                                            Start time:01:53:46
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xa10000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:01:53:46
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xae0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:32
                                                            Start time:01:53:46
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x750000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:33
                                                            Start time:01:53:47
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x6b0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:34
                                                            Start time:01:53:47
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xe00000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:35
                                                            Start time:01:53:48
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x970000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:36
                                                            Start time:01:53:48
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x240000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:37
                                                            Start time:01:53:48
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xc80000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:01:53:49
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x910000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:01:53:49
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0xb0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:40
                                                            Start time:01:53:49
                                                            Start date:03/07/2024
                                                            Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                            Imagebase:0x7e0000
                                                            File size:296'448 bytes
                                                            MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:8.8%
                                                              Dynamic/Decrypted Code Coverage:21.9%
                                                              Signature Coverage:43.8%
                                                              Total number of Nodes:146
                                                              Total number of Limit Nodes:6
                                                              execution_graph 3835 402e63 3836 402e67 3835->3836 3837 401918 8 API calls 3836->3837 3838 402f44 3836->3838 3837->3838 3877 401543 3878 401546 3877->3878 3879 4015e6 NtDuplicateObject 3878->3879 3883 401702 3878->3883 3880 401603 NtCreateSection 3879->3880 3879->3883 3881 401683 NtCreateSection 3880->3881 3882 401629 NtMapViewOfSection 3880->3882 3881->3883 3885 4016af 3881->3885 3882->3881 3884 40164c NtMapViewOfSection 3882->3884 3884->3881 3888 40166a 3884->3888 3885->3883 3886 4016b9 NtMapViewOfSection 3885->3886 3886->3883 3887 4016e0 NtMapViewOfSection 3886->3887 3887->3883 3888->3881 3740 278003c 3741 2780049 3740->3741 3753 2780e0f SetErrorMode SetErrorMode 3741->3753 3746 2780265 3747 27802ce VirtualProtect 3746->3747 3749 278030b 3747->3749 3748 2780439 VirtualFree 3752 27804be LoadLibraryA 3748->3752 3749->3748 3751 27808c7 3752->3751 3754 2780223 3753->3754 3755 2780d90 3754->3755 3756 2780dad 3755->3756 3757 2780dbb GetPEB 3756->3757 3758 2780238 VirtualAlloc 3756->3758 3757->3758 3758->3746 3943 401924 3944 401929 3943->3944 3945 40195e Sleep 3944->3945 3946 401979 3945->3946 3947 401538 7 API calls 3946->3947 3948 40198a 3946->3948 3947->3948 3937 296ebd3 3938 296ebe4 3937->3938 3939 296f384 3 API calls 3938->3939 3940 296ebfc 3939->3940 3781 402fe9 3782 403140 3781->3782 3783 403013 3781->3783 3783->3782 3784 4030ce RtlCreateUserThread NtTerminateProcess 3783->3784 3784->3782 3949 41752b 3950 41752f 3949->3950 3951 417535 VirtualProtect 3950->3951 3952 417537 3950->3952 3951->3952 3785 417a8e 3789 41779d 3785->3789 3787 417a96 3788 41779d 33 API calls 3787->3788 3788->3787 3790 4177aa 3789->3790 3791 417829 lstrcatW InterlockedExchangeAdd WriteConsoleW 3790->3791 3799 417926 3790->3799 3794 417864 7 API calls 3791->3794 3792 417943 GetTickCount SetLastError 3795 417963 GetConsoleAliasesA 3792->3795 3796 41795c ZombifyActCtx 3792->3796 3793 417934 GlobalAlloc AddAtomA 3793->3792 3797 4178f5 3794->3797 3798 4178ec GetBoundsRect 3794->3798 3795->3799 3796->3795 3800 417918 3797->3800 3801 4178fe GetModuleHandleExW 3797->3801 3798->3797 3799->3792 3799->3793 3802 417983 FoldStringA 3799->3802 3807 417997 3799->3807 3800->3799 3801->3800 3802->3799 3804 4179df LoadLibraryA 3814 41753d 3804->3814 3813 417500 GlobalAlloc 3807->3813 3810 417a3d 3819 41775a 3810->3819 3812 417a42 3812->3787 3813->3804 3815 41757c 3814->3815 3816 417588 GetModuleHandleW GetProcAddress 3815->3816 3817 41765e 3815->3817 3816->3815 3818 41751f VirtualProtect 3817->3818 3818->3810 3826 417683 3819->3826 3822 417795 3831 4176da 3822->3831 3823 41777d GetConsoleAliasExesLengthW UnhandledExceptionFilter FindFirstVolumeA 3823->3822 3825 41779a 3825->3812 3827 4176a0 3826->3827 3828 417698 CreateJobObjectW 3826->3828 3829 4176b4 OpenJobObjectA BuildCommDCBW LoadLibraryA 3827->3829 3830 4176cf 3827->3830 3828->3827 3829->3830 3830->3822 3830->3823 3832 4176f4 3831->3832 3833 417737 3831->3833 3832->3833 3834 417714 GetComputerNameA SleepEx 3832->3834 3833->3825 3834->3832 3725 296ebe4 3726 296ebf3 3725->3726 3729 296f384 3726->3729 3730 296f39f 3729->3730 3731 296f3a8 CreateToolhelp32Snapshot 3730->3731 3732 296f3c4 Module32First 3730->3732 3731->3730 3731->3732 3733 296f3d3 3732->3733 3734 296ebfc 3732->3734 3736 296f043 3733->3736 3737 296f06e 3736->3737 3738 296f07f VirtualAlloc 3737->3738 3739 296f0b7 3737->3739 3738->3739 3739->3739 3941 278092b GetPEB 3942 2780972 3941->3942 3855 401496 3856 401447 3855->3856 3856->3855 3857 4015e6 NtDuplicateObject 3856->3857 3864 40152f 3856->3864 3858 401603 NtCreateSection 3857->3858 3857->3864 3859 401683 NtCreateSection 3858->3859 3860 401629 NtMapViewOfSection 3858->3860 3862 4016af 3859->3862 3859->3864 3860->3859 3861 40164c NtMapViewOfSection 3860->3861 3861->3859 3863 40166a 3861->3863 3862->3864 3865 4016b9 NtMapViewOfSection 3862->3865 3863->3859 3865->3864 3866 4016e0 NtMapViewOfSection 3865->3866 3866->3864 3759 402eb7 3760 402eb8 3759->3760 3762 402f44 3760->3762 3763 401918 3760->3763 3764 401929 3763->3764 3765 40195e Sleep 3764->3765 3766 401979 3765->3766 3768 40198a 3766->3768 3769 401538 3766->3769 3768->3762 3770 401539 3769->3770 3771 401702 3770->3771 3772 4015e6 NtDuplicateObject 3770->3772 3771->3768 3772->3771 3773 401603 NtCreateSection 3772->3773 3774 401683 NtCreateSection 3773->3774 3775 401629 NtMapViewOfSection 3773->3775 3774->3771 3777 4016af 3774->3777 3775->3774 3776 40164c NtMapViewOfSection 3775->3776 3776->3774 3778 40166a 3776->3778 3777->3771 3779 4016b9 NtMapViewOfSection 3777->3779 3778->3774 3779->3771 3780 4016e0 NtMapViewOfSection 3779->3780 3780->3771 3839 4014de 3840 401447 3839->3840 3841 4015e6 NtDuplicateObject 3840->3841 3850 40152f 3840->3850 3842 401603 NtCreateSection 3841->3842 3841->3850 3843 401683 NtCreateSection 3842->3843 3844 401629 NtMapViewOfSection 3842->3844 3846 4016af 3843->3846 3843->3850 3844->3843 3845 40164c NtMapViewOfSection 3844->3845 3845->3843 3847 40166a 3845->3847 3848 4016b9 NtMapViewOfSection 3846->3848 3846->3850 3847->3843 3849 4016e0 NtMapViewOfSection 3848->3849 3848->3850 3849->3850

                                                              Executed Functions

                                                              Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 146 401496-4014a5 147 4014a7 146->147 148 40151b-40152d 146->148 149 4014a9-4014b5 147->149 150 4014cf 147->150 157 4014ba 148->157 160 40152f-401535 148->160 152 401471-401472 149->152 153 4014b7-4014b8 149->153 154 4014d6 150->154 158 401473-401484 152->158 156 401449 153->156 153->157 154->154 159 4014d8 154->159 161 40147b-40148e call 4011b7 156->161 162 40144b 156->162 163 401447-401456 157->163 164 4014bc-4014c3 157->164 158->161 159->148 161->146 168 40144c-401470 162->168 163->168 169 4014c5-4014c8 164->169 170 401539-401567 164->170 168->158 169->150 180 401558-401563 170->180 181 40156a-401590 call 4011b7 170->181 180->181 188 401592 181->188 189 401595-40159a 181->189 188->189 191 4015a0-4015b1 189->191 192 4018b8-4018c0 189->192 196 4018b6-4018c5 191->196 197 4015b7-4015e0 191->197 192->189 200 4018da 196->200 201 4018cb-4018d6 196->201 197->196 205 4015e6-4015fd NtDuplicateObject 197->205 200->201 202 4018dd-401915 call 4011b7 200->202 201->202 205->196 207 401603-401627 NtCreateSection 205->207 209 401683-4016a9 NtCreateSection 207->209 210 401629-40164a NtMapViewOfSection 207->210 209->196 214 4016af-4016b3 209->214 210->209 212 40164c-401668 NtMapViewOfSection 210->212 212->209 215 40166a-401680 212->215 214->196 217 4016b9-4016da NtMapViewOfSection 214->217 215->209 217->196 219 4016e0-4016fc NtMapViewOfSection 217->219 219->196 222 401702 call 401707 219->222
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectView
                                                              • String ID:
                                                              • API String ID: 1652636561-0
                                                              • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                              • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                              • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                              • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                              Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 224 401538-401567 230 401558-401563 224->230 231 40156a-401590 call 4011b7 224->231 230->231 238 401592 231->238 239 401595-40159a 231->239 238->239 241 4015a0-4015b1 239->241 242 4018b8-4018c0 239->242 246 4018b6-4018c5 241->246 247 4015b7-4015e0 241->247 242->239 250 4018da 246->250 251 4018cb-4018d6 246->251 247->246 255 4015e6-4015fd NtDuplicateObject 247->255 250->251 252 4018dd-401915 call 4011b7 250->252 251->252 255->246 257 401603-401627 NtCreateSection 255->257 259 401683-4016a9 NtCreateSection 257->259 260 401629-40164a NtMapViewOfSection 257->260 259->246 264 4016af-4016b3 259->264 260->259 262 40164c-401668 NtMapViewOfSection 260->262 262->259 265 40166a-401680 262->265 264->246 267 4016b9-4016da NtMapViewOfSection 264->267 265->259 267->246 269 4016e0-4016fc NtMapViewOfSection 267->269 269->246 272 401702 call 401707 269->272
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                              • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                              • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                              • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                              Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 274 4014de-4014ed 275 401563 274->275 276 4014ef 274->276 277 40156a-401590 call 4011b7 275->277 278 401551-401552 276->278 279 4014f1-401502 276->279 297 401592 277->297 298 401595-40159a 277->298 278->275 281 401504-401516 279->281 282 40151d-40152d 279->282 284 40151b-40151c 281->284 287 4014ba 282->287 288 40152f-401535 282->288 284->282 290 401447-401456 287->290 291 4014bc-4014c3 287->291 299 40144c-401470 290->299 294 4014c5-4014c8 291->294 295 401539-401567 291->295 300 4014cf 294->300 295->277 312 401558-401560 295->312 297->298 309 4015a0-4015b1 298->309 310 4018b8-4018c0 298->310 313 401473-401484 299->313 303 4014d6 300->303 303->303 307 4014d8 303->307 307->284 320 4018b6-4018c5 309->320 321 4015b7-4015e0 309->321 310->298 312->275 317 40147b-4014a5 call 4011b7 313->317 317->284 332 4014a7 317->332 326 4018da 320->326 327 4018cb-4018d6 320->327 321->320 333 4015e6-4015fd NtDuplicateObject 321->333 326->327 328 4018dd-401915 call 4011b7 326->328 327->328 332->300 335 4014a9-4014b5 332->335 333->320 336 401603-401627 NtCreateSection 333->336 338 401471-401472 335->338 339 4014b7-4014b8 335->339 340 401683-4016a9 NtCreateSection 336->340 341 401629-40164a NtMapViewOfSection 336->341 338->313 339->287 343 401449 339->343 340->320 347 4016af-4016b3 340->347 341->340 344 40164c-401668 NtMapViewOfSection 341->344 343->317 345 40144b 343->345 344->340 348 40166a-401680 344->348 345->299 347->320 350 4016b9-4016da NtMapViewOfSection 347->350 348->340 350->320 352 4016e0-4016fc NtMapViewOfSection 350->352 352->320 355 401702 call 401707 352->355
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectView
                                                              • String ID:
                                                              • API String ID: 1652636561-0
                                                              • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                              • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                              • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                              • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                              Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 357 401543-401544 358 401546-401567 357->358 359 4015af-4015b1 357->359 366 401558-401563 358->366 367 40156a-401590 call 4011b7 358->367 361 4018b6-4018c5 359->361 362 4015b7-4015e0 359->362 368 4018da 361->368 369 4018cb-4018d6 361->369 362->361 377 4015e6-4015fd NtDuplicateObject 362->377 366->367 386 401592 367->386 387 401595-40159a 367->387 368->369 370 4018dd-401915 call 4011b7 368->370 369->370 377->361 380 401603-401627 NtCreateSection 377->380 383 401683-4016a9 NtCreateSection 380->383 384 401629-40164a NtMapViewOfSection 380->384 383->361 390 4016af-4016b3 383->390 384->383 388 40164c-401668 NtMapViewOfSection 384->388 386->387 399 4015a0-4015ad 387->399 400 4018b8-4018c0 387->400 388->383 391 40166a-401680 388->391 390->361 393 4016b9-4016da NtMapViewOfSection 390->393 391->383 393->361 396 4016e0-4016fc NtMapViewOfSection 393->396 396->361 401 401702 call 401707 396->401 399->359 400->387
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                              • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                              • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                              • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                              Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 405 401565-401590 call 4011b7 410 401592 405->410 411 401595-40159a 405->411 410->411 413 4015a0-4015b1 411->413 414 4018b8-4018c0 411->414 418 4018b6-4018c5 413->418 419 4015b7-4015e0 413->419 414->411 422 4018da 418->422 423 4018cb-4018d6 418->423 419->418 427 4015e6-4015fd NtDuplicateObject 419->427 422->423 424 4018dd-401915 call 4011b7 422->424 423->424 427->418 429 401603-401627 NtCreateSection 427->429 431 401683-4016a9 NtCreateSection 429->431 432 401629-40164a NtMapViewOfSection 429->432 431->418 436 4016af-4016b3 431->436 432->431 434 40164c-401668 NtMapViewOfSection 432->434 434->431 437 40166a-401680 434->437 436->418 439 4016b9-4016da NtMapViewOfSection 436->439 437->431 439->418 441 4016e0-4016fc NtMapViewOfSection 439->441 441->418 444 401702 call 401707 441->444
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                              • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                              • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                              • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                              Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 446 401579-401590 call 4011b7 452 401592 446->452 453 401595-40159a 446->453 452->453 455 4015a0-4015b1 453->455 456 4018b8-4018c0 453->456 460 4018b6-4018c5 455->460 461 4015b7-4015e0 455->461 456->453 464 4018da 460->464 465 4018cb-4018d6 460->465 461->460 469 4015e6-4015fd NtDuplicateObject 461->469 464->465 466 4018dd-401915 call 4011b7 464->466 465->466 469->460 471 401603-401627 NtCreateSection 469->471 473 401683-4016a9 NtCreateSection 471->473 474 401629-40164a NtMapViewOfSection 471->474 473->460 478 4016af-4016b3 473->478 474->473 476 40164c-401668 NtMapViewOfSection 474->476 476->473 479 40166a-401680 476->479 478->460 481 4016b9-4016da NtMapViewOfSection 478->481 479->473 481->460 483 4016e0-4016fc NtMapViewOfSection 481->483 483->460 486 401702 call 401707 483->486
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                              • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                              • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                              • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                              Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 488 40157c-401590 call 4011b7 492 401592 488->492 493 401595-40159a 488->493 492->493 495 4015a0-4015b1 493->495 496 4018b8-4018c0 493->496 500 4018b6-4018c5 495->500 501 4015b7-4015e0 495->501 496->493 504 4018da 500->504 505 4018cb-4018d6 500->505 501->500 509 4015e6-4015fd NtDuplicateObject 501->509 504->505 506 4018dd-401915 call 4011b7 504->506 505->506 509->500 511 401603-401627 NtCreateSection 509->511 513 401683-4016a9 NtCreateSection 511->513 514 401629-40164a NtMapViewOfSection 511->514 513->500 518 4016af-4016b3 513->518 514->513 516 40164c-401668 NtMapViewOfSection 514->516 516->513 519 40166a-401680 516->519 518->500 521 4016b9-4016da NtMapViewOfSection 518->521 519->513 521->500 523 4016e0-4016fc NtMapViewOfSection 521->523 523->500 526 401702 call 401707 523->526
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                              • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                              • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                              • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                              Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 528 402fe9-40300d 529 403140-403145 528->529 530 403013-40302b 528->530 530->529 531 403031-403042 530->531 532 403044-40304d 531->532 533 403052-403060 532->533 533->533 534 403062-403069 533->534 535 40308b-403092 534->535 536 40306b-40308a 534->536 537 4030b4-4030b7 535->537 538 403094-4030b3 535->538 536->535 539 4030c0 537->539 540 4030b9-4030bc 537->540 538->537 539->532 542 4030c2-4030c7 539->542 540->539 541 4030be 540->541 541->542 542->529 543 4030c9-4030cc 542->543 543->529 544 4030ce-40313d RtlCreateUserThread NtTerminateProcess 543->544 544->529
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: CreateProcessTerminateThreadUser
                                                              • String ID:
                                                              • API String ID: 1921587553-0
                                                              • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                              • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                              • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                              • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                              Function 0296F384 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 545 296f384-296f39d 546 296f39f-296f3a1 545->546 547 296f3a3 546->547 548 296f3a8-296f3b4 CreateToolhelp32Snapshot 546->548 547->548 549 296f3b6-296f3bc 548->549 550 296f3c4-296f3d1 Module32First 548->550 549->550 557 296f3be-296f3c2 549->557 551 296f3d3-296f3d4 call 296f043 550->551 552 296f3da-296f3e2 550->552 555 296f3d9 551->555 555->552 557->546 557->550
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0296F3AC
                                                              • Module32First.KERNEL32(00000000,00000224), ref: 0296F3CC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0296C000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_296c000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 3833638111-0
                                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                              • Instruction ID: 85305a0faa775b9cc2cace1f34f415c298b7eaf7082112b74d400b9cf5d3f53b
                                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                              • Instruction Fuzzy Hash: 9CF06231600711AFD7203AB5B88DF7A76ECBF49765F141529E643918C0DB74E8454A61
                                                              Function 0041779D Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 215stringmemorylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrcatW.KERNEL32(?,00000000), ref: 00417831
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041783F
                                                              • WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417856
                                                              • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 0041786D
                                                              • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417876
                                                              • SetFileApisToANSI.KERNEL32 ref: 0041787C
                                                              • ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 004178BD
                                                              • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 004178C5
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 004178D4
                                                              • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004178DD
                                                              • GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004178EF
                                                              • GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 0041790B
                                                              • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00417936
                                                              • AddAtomA.KERNEL32(00000000), ref: 0041793D
                                                              • GetTickCount.KERNEL32 ref: 00417943
                                                              • SetLastError.KERNEL32(00000000), ref: 0041794A
                                                              • ZombifyActCtx.KERNEL32(00000000), ref: 0041795D
                                                              • GetConsoleAliasesA.KERNEL32(?,00000000,00000000), ref: 0041796C
                                                              • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417988
                                                              • LoadLibraryA.KERNELBASE(004193A0), ref: 00417A31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446302229.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_40b000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
                                                              • String ID: k`$tl_$}$
                                                              • API String ID: 2727110864-211918992
                                                              • Opcode ID: 3a35ffa5e64dab94d71c0fe09eb43b3bbc7f91130d627dae4625b1fbb8aaf4b6
                                                              • Instruction ID: 052c9d8132dfc4786eb303a82e488c952184c6fc2c401faab02c9e27e42c1487
                                                              • Opcode Fuzzy Hash: 3a35ffa5e64dab94d71c0fe09eb43b3bbc7f91130d627dae4625b1fbb8aaf4b6
                                                              • Instruction Fuzzy Hash: 68716B71845528EED721AB61EC88CDF7B79FF09355B10846AF105E2151CB388A89CFA9
                                                              Function 0278003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 61 278003c-2780047 62 2780049 61->62 63 278004c-2780263 call 2780a3f call 2780e0f call 2780d90 VirtualAlloc 61->63 62->63 78 278028b-2780292 63->78 79 2780265-2780289 call 2780a69 63->79 81 27802a1-27802b0 78->81 83 27802ce-27803c2 VirtualProtect call 2780cce call 2780ce7 79->83 81->83 84 27802b2-27802cc 81->84 90 27803d1-27803e0 83->90 84->81 91 2780439-27804b8 VirtualFree 90->91 92 27803e2-2780437 call 2780ce7 90->92 94 27804be-27804cd 91->94 95 27805f4-27805fe 91->95 92->90 97 27804d3-27804dd 94->97 98 278077f-2780789 95->98 99 2780604-278060d 95->99 97->95 101 27804e3-2780505 97->101 102 278078b-27807a3 98->102 103 27807a6-27807b0 98->103 99->98 104 2780613-2780637 99->104 112 2780517-2780520 101->112 113 2780507-2780515 101->113 102->103 105 278086e-27808be LoadLibraryA 103->105 106 27807b6-27807cb 103->106 107 278063e-2780648 104->107 111 27808c7-27808f9 105->111 109 27807d2-27807d5 106->109 107->98 110 278064e-278065a 107->110 114 2780824-2780833 109->114 115 27807d7-27807e0 109->115 110->98 116 2780660-278066a 110->116 119 27808fb-2780901 111->119 120 2780902-278091d 111->120 121 2780526-2780547 112->121 113->121 118 2780839-278083c 114->118 122 27807e2 115->122 123 27807e4-2780822 115->123 117 278067a-2780689 116->117 124 278068f-27806b2 117->124 125 2780750-278077a 117->125 118->105 126 278083e-2780847 118->126 119->120 127 278054d-2780550 121->127 122->114 123->109 128 27806ef-27806fc 124->128 129 27806b4-27806ed 124->129 125->107 130 2780849 126->130 131 278084b-278086c 126->131 133 27805e0-27805ef 127->133 134 2780556-278056b 127->134 137 278074b 128->137 138 27806fe-2780748 128->138 129->128 130->105 131->118 133->97 135 278056d 134->135 136 278056f-278057a 134->136 135->133 139 278059b-27805bb 136->139 140 278057c-2780599 136->140 137->117 138->137 145 27805bd-27805db 139->145 140->145 145->127
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0278024D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2780000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID: cess$kernel32.dll
                                                              • API String ID: 4275171209-1230238691
                                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                              • Instruction ID: a4c1a54ca1671e26896132eb019021d556adb1bf3110f27a521c93bc695f7723
                                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                              • Instruction Fuzzy Hash: F9527A75A01229DFDB64DF58C985BACBBB1BF09304F1480D9E94DAB351DB30AA89CF14
                                                              Function 02780E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 558 2780e0f-2780e24 SetErrorMode * 2 559 2780e2b-2780e2c 558->559 560 2780e26 558->560 560->559
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00000400,?,?,02780223,?,?), ref: 02780E19
                                                              • SetErrorMode.KERNELBASE(00000000,?,?,02780223,?,?), ref: 02780E1E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2780000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                              • Instruction ID: f6a11d2642f841788712fd3fb4466327a69264ddbeb3d06e509809cb3da93180
                                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                              • Instruction Fuzzy Hash: DFD0123214512877D7003A94DC09BCE7B1CDF05B66F008011FB0DD9080C770954046E5
                                                              Function 0041752B Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 561 41752b-41752d 562 417531-417533 561->562 563 41752f 561->563 564 417535 VirtualProtect 562->564 565 417537-41753c 562->565 563->562 564->565
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(00000040,?,?,?,00417A3D), ref: 00417535
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446302229.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_40b000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: edb65285c22d606139e282b350792270a45ff417db56b3c7e0e4ae7122eae3aa
                                                              • Instruction ID: 194e0a83ff74d5b2780f4e6c67017bb2b3ecd52b36ec82312c32093e699c85f4
                                                              • Opcode Fuzzy Hash: edb65285c22d606139e282b350792270a45ff417db56b3c7e0e4ae7122eae3aa
                                                              • Instruction Fuzzy Hash: 4CC02BB0D40002B7D50047307DC18CF3B7FF7003E63A04808643680C20C63844960BF9
                                                              Function 0041751F Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 566 41751f-41753c VirtualProtect
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(00000040,?,?,?,00417A3D), ref: 00417535
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446302229.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_40b000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                              • Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
                                                              • Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                              • Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68
                                                              Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                              • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                              • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                              • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                              Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                              • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                              • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                              • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                              Function 0296F043 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0296F094
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0296C000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_296c000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                              • Instruction ID: 541c99a4b75c3377b6c332a70b1b7585700e5b9a49d2e1deddec0e8789be451d
                                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                              • Instruction Fuzzy Hash: 49113C79A00208EFDB01DF98C989E99BBF5AF08350F098094F9489B361D371EA50DF80
                                                              Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                              • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                              • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                              • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                              Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                              • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                              • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                              • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                              Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446284842.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                              • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                              • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                              • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

                                                              Non-executed Functions

                                                              Function 0278092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2780000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$GetProcAddress.$l
                                                              • API String ID: 0-2784972518
                                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                              • Instruction ID: e776f8af7ad6e00c27cf0fe8fa7ddbee1d7dce2944122411ae565baa21e1a392
                                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                              • Instruction Fuzzy Hash: 2F314AB6940609DFDB10DF99C884AAEBBF9FF48324F15404AD841A7310D771EA49CFA4
                                                              Function 0296EC61 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447731627.000000000296C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0296C000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_296c000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                              • Instruction ID: 402223b2dd52d38b0bde9c06f83165316cbeac8e9927692a866422ee016f3134
                                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                              • Instruction Fuzzy Hash: 42117976340100AFDB54DE59DC94FA673EAEB88320B298065E908CB315E679EC42CB60
                                                              Function 02780D90 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1447509883.0000000002780000.00000040.00001000.00020000.00000000.sdmp, Offset: 02780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2780000_JuHVfiAuLo.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                              • Instruction ID: 110e7a00586266de584b1cb35a597225523da46c76988485b301bfda87e2ff6a
                                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                              • Instruction Fuzzy Hash: 8D01F272A506008FDF21EF20C805BAB33E5FB86306F0540A4D90A97282E370A8498B90
                                                              Function 00417683 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041769A
                                                              • OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 004176B7
                                                              • BuildCommDCBW.KERNEL32(00000000,?), ref: 004176C2
                                                              • LoadLibraryA.KERNEL32(00000000), ref: 004176C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446302229.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_40b000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                              • String ID:
                                                              • API String ID: 2043902199-0
                                                              • Opcode ID: 22d375c7685d614c2e767f9d77a3bae846fed0ceaca9cc11a963bcee4c6ddcf9
                                                              • Instruction ID: 6d29e2221a7ece4a59b988d40ef0520643394de3b9c2438902b5b70f558cfcb1
                                                              • Opcode Fuzzy Hash: 22d375c7685d614c2e767f9d77a3bae846fed0ceaca9cc11a963bcee4c6ddcf9
                                                              • Instruction Fuzzy Hash: 3DE03931802628EF87116B65EC488CF7FACFF0A399B408024F40591105DB784A49CFED
                                                              Function 0041753D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(02705280), ref: 00417609
                                                              • GetProcAddress.KERNEL32(00000000,0041D350), ref: 00417646
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446302229.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_40b000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID:
                                                              • API String ID: 1646373207-3916222277
                                                              • Opcode ID: 693097cdd84ba9854c5dbe997ef4c84b1086e9171fec20937db4cb2167ac3d77
                                                              • Instruction ID: 8a04b0f76734d35833049a8315372622441178a3705ed65c29a5cc93e45c5c89
                                                              • Opcode Fuzzy Hash: 693097cdd84ba9854c5dbe997ef4c84b1086e9171fec20937db4cb2167ac3d77
                                                              • Instruction Fuzzy Hash: E53181B5D893C4DCF30187A4B8497B23BA1AF15B04F48842AD954CB2E5D7FA0558CB2F
                                                              Function 004176DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00417722
                                                              • SleepEx.KERNEL32(00000000,00000000), ref: 0041772C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1446302229.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_40b000_JuHVfiAuLo.jbxd
                                                              Similarity
                                                              • API ID: ComputerNameSleep
                                                              • String ID: -
                                                              • API String ID: 3354815184-2547889144
                                                              • Opcode ID: f3a38e88802384743aba706b666659164a4336ed23b531bc8a911463ac6589ab
                                                              • Instruction ID: 407a5ef00c5ff8afe7f5b2476c5fd199e6e137efe5b091aef663fa07b76849b8
                                                              • Opcode Fuzzy Hash: f3a38e88802384743aba706b666659164a4336ed23b531bc8a911463ac6589ab
                                                              • Instruction Fuzzy Hash: E101D6B08082189AD7209F68DDC17DABBB8AB08324F5141ADD751A6085CE745ACACF9C

                                                              Execution Graph

                                                              Execution Coverage:8.7%
                                                              Dynamic/Decrypted Code Coverage:21.9%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:146
                                                              Total number of Limit Nodes:6
                                                              execution_graph 3805 402e63 3807 402e67 3805->3807 3806 401918 8 API calls 3808 402f44 3806->3808 3807->3806 3807->3808 3847 401543 3848 401546 3847->3848 3849 4015e6 NtDuplicateObject 3848->3849 3851 401702 3848->3851 3850 401603 NtCreateSection 3849->3850 3849->3851 3852 401683 NtCreateSection 3850->3852 3853 401629 NtMapViewOfSection 3850->3853 3852->3851 3855 4016af 3852->3855 3853->3852 3854 40164c NtMapViewOfSection 3853->3854 3854->3852 3858 40166a 3854->3858 3855->3851 3856 4016b9 NtMapViewOfSection 3855->3856 3856->3851 3857 4016e0 NtMapViewOfSection 3856->3857 3857->3851 3858->3852 3911 401924 3912 401929 3911->3912 3913 40195e Sleep 3912->3913 3914 401979 3913->3914 3915 401538 7 API calls 3914->3915 3916 40198a 3914->3916 3915->3916 3736 402fe9 3737 403140 3736->3737 3738 403013 3736->3738 3738->3737 3739 4030ce RtlCreateUserThread NtTerminateProcess 3738->3739 3739->3737 3917 41752b 3918 41752f 3917->3918 3919 417535 VirtualProtect 3918->3919 3920 417537 3918->3920 3919->3920 3740 299f394 3741 299f3a3 3740->3741 3744 299fb34 3741->3744 3746 299fb4f 3744->3746 3745 299fb58 CreateToolhelp32Snapshot 3745->3746 3747 299fb74 Module32First 3745->3747 3746->3745 3746->3747 3748 299fb83 3747->3748 3750 299f3ac 3747->3750 3751 299f7f3 3748->3751 3752 299f81e 3751->3752 3753 299f867 3752->3753 3754 299f82f VirtualAlloc 3752->3754 3753->3753 3754->3753 3921 285092b GetPEB 3922 2850972 3921->3922 3755 417a8e 3759 41779d 3755->3759 3757 417a96 3758 41779d 33 API calls 3757->3758 3758->3757 3760 4177aa 3759->3760 3761 417829 lstrcatW InterlockedExchangeAdd WriteConsoleW 3760->3761 3769 417926 3760->3769 3764 417864 7 API calls 3761->3764 3762 417943 GetTickCount SetLastError 3765 417963 GetConsoleAliasesA 3762->3765 3766 41795c ZombifyActCtx 3762->3766 3763 417934 GlobalAlloc AddAtomA 3763->3762 3767 4178f5 3764->3767 3768 4178ec GetBoundsRect 3764->3768 3765->3769 3766->3765 3770 417918 3767->3770 3771 4178fe GetModuleHandleExW 3767->3771 3768->3767 3769->3762 3769->3763 3772 417983 FoldStringA 3769->3772 3776 417997 3769->3776 3770->3769 3771->3770 3772->3769 3774 4179df LoadLibraryA 3784 41753d 3774->3784 3783 417500 GlobalAlloc 3776->3783 3780 417a3d 3789 41775a 3780->3789 3782 417a42 3782->3757 3783->3774 3785 41757c 3784->3785 3786 417588 GetModuleHandleW GetProcAddress 3785->3786 3787 41765e 3785->3787 3786->3785 3788 41751f VirtualProtect 3787->3788 3788->3780 3796 417683 3789->3796 3792 417795 3801 4176da 3792->3801 3793 41777d GetConsoleAliasExesLengthW UnhandledExceptionFilter FindFirstVolumeA 3793->3792 3795 41779a 3795->3782 3797 4176a0 3796->3797 3798 417698 CreateJobObjectW 3796->3798 3799 4176b4 OpenJobObjectA BuildCommDCBW LoadLibraryA 3797->3799 3800 4176cf 3797->3800 3798->3797 3799->3800 3800->3792 3800->3793 3802 4176f4 3801->3802 3803 417737 3801->3803 3802->3803 3804 417714 GetComputerNameA SleepEx 3802->3804 3803->3795 3804->3802 3825 401496 3826 401447 3825->3826 3826->3825 3827 4015e6 NtDuplicateObject 3826->3827 3835 40152f 3826->3835 3828 401603 NtCreateSection 3827->3828 3827->3835 3829 401683 NtCreateSection 3828->3829 3830 401629 NtMapViewOfSection 3828->3830 3832 4016af 3829->3832 3829->3835 3830->3829 3831 40164c NtMapViewOfSection 3830->3831 3831->3829 3833 40166a 3831->3833 3834 4016b9 NtMapViewOfSection 3832->3834 3832->3835 3833->3829 3834->3835 3836 4016e0 NtMapViewOfSection 3834->3836 3836->3835 3695 402eb7 3696 402eb8 3695->3696 3698 402f44 3696->3698 3699 401918 3696->3699 3700 401929 3699->3700 3701 40195e Sleep 3700->3701 3702 401979 3701->3702 3704 40198a 3702->3704 3705 401538 3702->3705 3704->3698 3706 401539 3705->3706 3707 4015e6 NtDuplicateObject 3706->3707 3715 401702 3706->3715 3708 401603 NtCreateSection 3707->3708 3707->3715 3709 401683 NtCreateSection 3708->3709 3710 401629 NtMapViewOfSection 3708->3710 3712 4016af 3709->3712 3709->3715 3710->3709 3711 40164c NtMapViewOfSection 3710->3711 3711->3709 3713 40166a 3711->3713 3714 4016b9 NtMapViewOfSection 3712->3714 3712->3715 3713->3709 3714->3715 3716 4016e0 NtMapViewOfSection 3714->3716 3715->3704 3716->3715 3717 285003c 3718 2850049 3717->3718 3730 2850e0f SetErrorMode SetErrorMode 3718->3730 3723 2850265 3724 28502ce VirtualProtect 3723->3724 3726 285030b 3724->3726 3725 2850439 VirtualFree 3729 28504be LoadLibraryA 3725->3729 3726->3725 3728 28508c7 3729->3728 3731 2850223 3730->3731 3732 2850d90 3731->3732 3733 2850dad 3732->3733 3734 2850dbb GetPEB 3733->3734 3735 2850238 VirtualAlloc 3733->3735 3734->3735 3735->3723 3871 299f383 3872 299f394 3871->3872 3873 299fb34 3 API calls 3872->3873 3874 299f3ac 3873->3874 3809 4014de 3810 401447 3809->3810 3811 4015e6 NtDuplicateObject 3810->3811 3819 40152f 3810->3819 3812 401603 NtCreateSection 3811->3812 3811->3819 3813 401683 NtCreateSection 3812->3813 3814 401629 NtMapViewOfSection 3812->3814 3816 4016af 3813->3816 3813->3819 3814->3813 3815 40164c NtMapViewOfSection 3814->3815 3815->3813 3817 40166a 3815->3817 3818 4016b9 NtMapViewOfSection 3816->3818 3816->3819 3817->3813 3818->3819 3820 4016e0 NtMapViewOfSection 3818->3820 3820->3819

                                                              Executed Functions

                                                              Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 146 401496-4014a5 147 4014a7 146->147 148 40151b-40152d 146->148 150 4014a9-4014b5 147->150 151 4014cf 147->151 158 4014ba 148->158 159 40152f-401535 148->159 154 401471-401472 150->154 155 4014b7-4014b8 150->155 152 4014d6 151->152 152->152 156 4014d8 152->156 157 401473-401484 154->157 155->158 160 401449 155->160 156->148 164 40147b-40148e call 4011b7 157->164 161 401447-401456 158->161 162 4014bc-4014c3 158->162 160->164 165 40144b 160->165 170 40144c-401470 161->170 166 4014c5-4014c8 162->166 167 401539-401567 162->167 164->146 165->170 166->151 180 401558-401563 167->180 181 40156a-401590 call 4011b7 167->181 170->157 180->181 188 401592 181->188 189 401595-40159a 181->189 188->189 191 4015a0-4015b1 189->191 192 4018b8-4018c0 189->192 196 4018b6-4018c5 191->196 197 4015b7-4015e0 191->197 192->189 199 4018da 196->199 200 4018cb-4018d6 196->200 197->196 206 4015e6-4015fd NtDuplicateObject 197->206 199->200 202 4018dd-401915 call 4011b7 199->202 200->202 206->196 208 401603-401627 NtCreateSection 206->208 210 401683-4016a9 NtCreateSection 208->210 211 401629-40164a NtMapViewOfSection 208->211 210->196 213 4016af-4016b3 210->213 211->210 212 40164c-401668 NtMapViewOfSection 211->212 212->210 215 40166a-401680 212->215 213->196 216 4016b9-4016da NtMapViewOfSection 213->216 215->210 216->196 219 4016e0-4016fc NtMapViewOfSection 216->219 219->196 222 401702 call 401707 219->222
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectView
                                                              • String ID:
                                                              • API String ID: 1652636561-0
                                                              • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                              • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                              • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                              • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                              Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 224 401538-401567 230 401558-401563 224->230 231 40156a-401590 call 4011b7 224->231 230->231 238 401592 231->238 239 401595-40159a 231->239 238->239 241 4015a0-4015b1 239->241 242 4018b8-4018c0 239->242 246 4018b6-4018c5 241->246 247 4015b7-4015e0 241->247 242->239 249 4018da 246->249 250 4018cb-4018d6 246->250 247->246 256 4015e6-4015fd NtDuplicateObject 247->256 249->250 252 4018dd-401915 call 4011b7 249->252 250->252 256->246 258 401603-401627 NtCreateSection 256->258 260 401683-4016a9 NtCreateSection 258->260 261 401629-40164a NtMapViewOfSection 258->261 260->246 263 4016af-4016b3 260->263 261->260 262 40164c-401668 NtMapViewOfSection 261->262 262->260 265 40166a-401680 262->265 263->246 266 4016b9-4016da NtMapViewOfSection 263->266 265->260 266->246 269 4016e0-4016fc NtMapViewOfSection 266->269 269->246 272 401702 call 401707 269->272
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                              • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                              • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                              • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                              Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 274 4014de-4014ed 275 401563 274->275 276 4014ef 274->276 279 40156a-401590 call 4011b7 275->279 277 401551-401552 276->277 278 4014f1-401502 276->278 277->275 280 401504-401516 278->280 281 40151d-40152d 278->281 297 401592 279->297 298 401595-40159a 279->298 283 40151b-40151c 280->283 286 4014ba 281->286 287 40152f-401535 281->287 283->281 289 401447-401456 286->289 290 4014bc-4014c3 286->290 296 40144c-401470 289->296 292 4014c5-4014c8 290->292 293 401539-401567 290->293 299 4014cf 292->299 293->279 313 401558-401560 293->313 312 401473-401484 296->312 297->298 309 4015a0-4015b1 298->309 310 4018b8-4018c0 298->310 301 4014d6 299->301 301->301 306 4014d8 301->306 306->283 320 4018b6-4018c5 309->320 321 4015b7-4015e0 309->321 310->298 318 40147b-4014a5 call 4011b7 312->318 313->275 318->283 331 4014a7 318->331 324 4018da 320->324 325 4018cb-4018d6 320->325 321->320 335 4015e6-4015fd NtDuplicateObject 321->335 324->325 328 4018dd-401915 call 4011b7 324->328 325->328 331->299 334 4014a9-4014b5 331->334 337 401471-401472 334->337 338 4014b7-4014b8 334->338 335->320 339 401603-401627 NtCreateSection 335->339 337->312 338->286 341 401449 338->341 342 401683-4016a9 NtCreateSection 339->342 343 401629-40164a NtMapViewOfSection 339->343 341->318 346 40144b 341->346 342->320 345 4016af-4016b3 342->345 343->342 344 40164c-401668 NtMapViewOfSection 343->344 344->342 348 40166a-401680 344->348 345->320 349 4016b9-4016da NtMapViewOfSection 345->349 346->296 348->342 349->320 352 4016e0-4016fc NtMapViewOfSection 349->352 352->320 355 401702 call 401707 352->355
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectView
                                                              • String ID:
                                                              • API String ID: 1652636561-0
                                                              • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                              • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                              • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                              • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                              Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 357 401543-401544 358 401546-401567 357->358 359 4015af-4015b1 357->359 368 401558-401563 358->368 369 40156a-401590 call 4011b7 358->369 360 4018b6-4018c5 359->360 361 4015b7-4015e0 359->361 365 4018da 360->365 366 4018cb-4018d6 360->366 361->360 378 4015e6-4015fd NtDuplicateObject 361->378 365->366 370 4018dd-401915 call 4011b7 365->370 366->370 368->369 386 401592 369->386 387 401595-40159a 369->387 378->360 381 401603-401627 NtCreateSection 378->381 384 401683-4016a9 NtCreateSection 381->384 385 401629-40164a NtMapViewOfSection 381->385 384->360 389 4016af-4016b3 384->389 385->384 388 40164c-401668 NtMapViewOfSection 385->388 386->387 399 4015a0-4015ad 387->399 400 4018b8-4018c0 387->400 388->384 391 40166a-401680 388->391 389->360 392 4016b9-4016da NtMapViewOfSection 389->392 391->384 392->360 396 4016e0-4016fc NtMapViewOfSection 392->396 396->360 401 401702 call 401707 396->401 399->359 400->387
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                              • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                              • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                              • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                              Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 405 401565-401590 call 4011b7 410 401592 405->410 411 401595-40159a 405->411 410->411 413 4015a0-4015b1 411->413 414 4018b8-4018c0 411->414 418 4018b6-4018c5 413->418 419 4015b7-4015e0 413->419 414->411 421 4018da 418->421 422 4018cb-4018d6 418->422 419->418 428 4015e6-4015fd NtDuplicateObject 419->428 421->422 424 4018dd-401915 call 4011b7 421->424 422->424 428->418 430 401603-401627 NtCreateSection 428->430 432 401683-4016a9 NtCreateSection 430->432 433 401629-40164a NtMapViewOfSection 430->433 432->418 435 4016af-4016b3 432->435 433->432 434 40164c-401668 NtMapViewOfSection 433->434 434->432 437 40166a-401680 434->437 435->418 438 4016b9-4016da NtMapViewOfSection 435->438 437->432 438->418 441 4016e0-4016fc NtMapViewOfSection 438->441 441->418 444 401702 call 401707 441->444
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                              • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                              • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                              • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                              Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 446 401579-401590 call 4011b7 452 401592 446->452 453 401595-40159a 446->453 452->453 455 4015a0-4015b1 453->455 456 4018b8-4018c0 453->456 460 4018b6-4018c5 455->460 461 4015b7-4015e0 455->461 456->453 463 4018da 460->463 464 4018cb-4018d6 460->464 461->460 470 4015e6-4015fd NtDuplicateObject 461->470 463->464 466 4018dd-401915 call 4011b7 463->466 464->466 470->460 472 401603-401627 NtCreateSection 470->472 474 401683-4016a9 NtCreateSection 472->474 475 401629-40164a NtMapViewOfSection 472->475 474->460 477 4016af-4016b3 474->477 475->474 476 40164c-401668 NtMapViewOfSection 475->476 476->474 479 40166a-401680 476->479 477->460 480 4016b9-4016da NtMapViewOfSection 477->480 479->474 480->460 483 4016e0-4016fc NtMapViewOfSection 480->483 483->460 486 401702 call 401707 483->486
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                              • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                              • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                              • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                              Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 488 40157c-401590 call 4011b7 492 401592 488->492 493 401595-40159a 488->493 492->493 495 4015a0-4015b1 493->495 496 4018b8-4018c0 493->496 500 4018b6-4018c5 495->500 501 4015b7-4015e0 495->501 496->493 503 4018da 500->503 504 4018cb-4018d6 500->504 501->500 510 4015e6-4015fd NtDuplicateObject 501->510 503->504 506 4018dd-401915 call 4011b7 503->506 504->506 510->500 512 401603-401627 NtCreateSection 510->512 514 401683-4016a9 NtCreateSection 512->514 515 401629-40164a NtMapViewOfSection 512->515 514->500 517 4016af-4016b3 514->517 515->514 516 40164c-401668 NtMapViewOfSection 515->516 516->514 519 40166a-401680 516->519 517->500 520 4016b9-4016da NtMapViewOfSection 517->520 519->514 520->500 523 4016e0-4016fc NtMapViewOfSection 520->523 523->500 526 401702 call 401707 523->526
                                                              APIs
                                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$View$Create$DuplicateObject
                                                              • String ID:
                                                              • API String ID: 1546783058-0
                                                              • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                              • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                              • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                              • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                              Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 528 402fe9-40300d 529 403140-403145 528->529 530 403013-40302b 528->530 530->529 531 403031-403042 530->531 532 403044-40304d 531->532 533 403052-403060 532->533 533->533 534 403062-403069 533->534 535 40308b-403092 534->535 536 40306b-40308a 534->536 537 4030b4-4030b7 535->537 538 403094-4030b3 535->538 536->535 539 4030c0 537->539 540 4030b9-4030bc 537->540 538->537 539->532 542 4030c2-4030c7 539->542 540->539 541 4030be 540->541 541->542 542->529 543 4030c9-4030cc 542->543 543->529 544 4030ce-40313d RtlCreateUserThread NtTerminateProcess 543->544 544->529
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: CreateProcessTerminateThreadUser
                                                              • String ID:
                                                              • API String ID: 1921587553-0
                                                              • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                              • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                              • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                              • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                              Function 0041779D Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 215stringmemorylibraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrcatW.KERNEL32(?,00000000), ref: 00417831
                                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041783F
                                                              • WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417856
                                                              • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 0041786D
                                                              • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 00417876
                                                              • SetFileApisToANSI.KERNEL32 ref: 0041787C
                                                              • ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 004178BD
                                                              • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 004178C5
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 004178D4
                                                              • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004178DD
                                                              • GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004178EF
                                                              • GetModuleHandleExW.KERNEL32(00000000,0041931C,?), ref: 0041790B
                                                              • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00417936
                                                              • AddAtomA.KERNEL32(00000000), ref: 0041793D
                                                              • GetTickCount.KERNEL32 ref: 00417943
                                                              • SetLastError.KERNEL32(00000000), ref: 0041794A
                                                              • ZombifyActCtx.KERNEL32(00000000), ref: 0041795D
                                                              • GetConsoleAliasesA.KERNEL32(?,00000000,00000000), ref: 0041796C
                                                              • FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00417988
                                                              • LoadLibraryA.KERNELBASE(004193A0), ref: 00417A31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673675612.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_40b000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Console$AtomFileModuleName$AliasesAllocApisBoundsCountDateEnumErrorExchangeFoldFormatsGlobalHandleInterlockedLastLibraryLoadMountOutputPointReadRectStringTickVolumeWriteZombifylstrcatlstrcpyn
                                                              • String ID: k`$tl_$}$
                                                              • API String ID: 2727110864-211918992
                                                              • Opcode ID: 3a35ffa5e64dab94d71c0fe09eb43b3bbc7f91130d627dae4625b1fbb8aaf4b6
                                                              • Instruction ID: 052c9d8132dfc4786eb303a82e488c952184c6fc2c401faab02c9e27e42c1487
                                                              • Opcode Fuzzy Hash: 3a35ffa5e64dab94d71c0fe09eb43b3bbc7f91130d627dae4625b1fbb8aaf4b6
                                                              • Instruction Fuzzy Hash: 68716B71845528EED721AB61EC88CDF7B79FF09355B10846AF105E2151CB388A89CFA9
                                                              Function 0285003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 61 285003c-2850047 62 285004c-2850263 call 2850a3f call 2850e0f call 2850d90 VirtualAlloc 61->62 63 2850049 61->63 78 2850265-2850289 call 2850a69 62->78 79 285028b-2850292 62->79 63->62 84 28502ce-28503c2 VirtualProtect call 2850cce call 2850ce7 78->84 81 28502a1-28502b0 79->81 83 28502b2-28502cc 81->83 81->84 83->81 90 28503d1-28503e0 84->90 91 28503e2-2850437 call 2850ce7 90->91 92 2850439-28504b8 VirtualFree 90->92 91->90 94 28505f4-28505fe 92->94 95 28504be-28504cd 92->95 96 2850604-285060d 94->96 97 285077f-2850789 94->97 99 28504d3-28504dd 95->99 96->97 100 2850613-2850637 96->100 103 28507a6-28507b0 97->103 104 285078b-28507a3 97->104 99->94 102 28504e3-2850505 99->102 107 285063e-2850648 100->107 111 2850517-2850520 102->111 112 2850507-2850515 102->112 105 28507b6-28507cb 103->105 106 285086e-28508be LoadLibraryA 103->106 104->103 108 28507d2-28507d5 105->108 116 28508c7-28508f9 106->116 107->97 109 285064e-285065a 107->109 113 2850824-2850833 108->113 114 28507d7-28507e0 108->114 109->97 115 2850660-285066a 109->115 117 2850526-2850547 111->117 112->117 121 2850839-285083c 113->121 118 28507e4-2850822 114->118 119 28507e2 114->119 120 285067a-2850689 115->120 122 2850902-285091d 116->122 123 28508fb-2850901 116->123 124 285054d-2850550 117->124 118->108 119->113 125 2850750-285077a 120->125 126 285068f-28506b2 120->126 121->106 127 285083e-2850847 121->127 123->122 129 2850556-285056b 124->129 130 28505e0-28505ef 124->130 125->107 131 28506b4-28506ed 126->131 132 28506ef-28506fc 126->132 133 2850849 127->133 134 285084b-285086c 127->134 135 285056d 129->135 136 285056f-285057a 129->136 130->99 131->132 137 28506fe-2850748 132->137 138 285074b 132->138 133->106 134->121 135->130 139 285057c-2850599 136->139 140 285059b-28505bb 136->140 137->138 138->120 145 28505bd-28505db 139->145 140->145 145->124
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0285024D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2850000_ifgewai.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID: cess$kernel32.dll
                                                              • API String ID: 4275171209-1230238691
                                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                              • Instruction ID: cf11491aa142ca8eaf013b1c682da2a8c3e9e67b7fc609de6ebcabd2ec8c6a2f
                                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                              • Instruction Fuzzy Hash: 16526978A01229DFDB64CF58C985BACBBB1BF09304F1480D9E94DAB351DB30AA85CF15
                                                              Function 0299FB34 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 545 299fb34-299fb4d 546 299fb4f-299fb51 545->546 547 299fb58-299fb64 CreateToolhelp32Snapshot 546->547 548 299fb53 546->548 549 299fb74-299fb81 Module32First 547->549 550 299fb66-299fb6c 547->550 548->547 551 299fb8a-299fb92 549->551 552 299fb83-299fb84 call 299f7f3 549->552 550->549 556 299fb6e-299fb72 550->556 557 299fb89 552->557 556->546 556->549 557->551
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0299FB5C
                                                              • Module32First.KERNEL32(00000000,00000224), ref: 0299FB7C
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0299C000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_299c000_ifgewai.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 3833638111-0
                                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                              • Instruction ID: 0813bc56bedca73d8cb4078059b1853396f43b842cdc733404505aedcf9ac087
                                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                              • Instruction Fuzzy Hash: 3FF06231200711ABDB202EBD988CB6EF6ECAF49735F10066CE646D28C0DB70E8454A61
                                                              Function 02850E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 558 2850e0f-2850e24 SetErrorMode * 2 559 2850e26 558->559 560 2850e2b-2850e2c 558->560 559->560
                                                              APIs
                                                              • SetErrorMode.KERNELBASE(00000400,?,?,02850223,?,?), ref: 02850E19
                                                              • SetErrorMode.KERNELBASE(00000000,?,?,02850223,?,?), ref: 02850E1E
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1674783702.0000000002850000.00000040.00001000.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_2850000_ifgewai.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ErrorMode
                                                              • String ID:
                                                              • API String ID: 2340568224-0
                                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                              • Instruction ID: 2505ab2e1391db5db78ee4bbd1b920a9a47e9c24b8da0b320f25cb93a2937996
                                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                              • Instruction Fuzzy Hash: E6D0123514512877DB002A94DC09BCD7B1CDF09B66F108011FB0DD9080C770954046E5
                                                              Function 0041752B Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 561 41752b-41752d 562 417531-417533 561->562 563 41752f 561->563 564 417535 VirtualProtect 562->564 565 417537-41753c 562->565 563->562 564->565
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(00000040,?,?,?,00417A3D), ref: 00417535
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673675612.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_40b000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: edb65285c22d606139e282b350792270a45ff417db56b3c7e0e4ae7122eae3aa
                                                              • Instruction ID: 194e0a83ff74d5b2780f4e6c67017bb2b3ecd52b36ec82312c32093e699c85f4
                                                              • Opcode Fuzzy Hash: edb65285c22d606139e282b350792270a45ff417db56b3c7e0e4ae7122eae3aa
                                                              • Instruction Fuzzy Hash: 4CC02BB0D40002B7D50047307DC18CF3B7FF7003E63A04808643680C20C63844960BF9
                                                              Function 0041751F Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 566 41751f-41753c VirtualProtect
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(00000040,?,?,?,00417A3D), ref: 00417535
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673675612.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_40b000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                              • Instruction ID: 4c62818881ac23e86d27b7ad5f6e3bb285c85b39ac0806b91a2128f0277fdf34
                                                              • Opcode Fuzzy Hash: 2b88e49853c53da7588208df039261d9438041cc52994e21c16ec495ebbe39ff
                                                              • Instruction Fuzzy Hash: 8CC08CB194020DFFDB018B91FC41E8D7BACF300248F808020B716A1060CAB1AD289F68
                                                              Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                              • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                              • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                              • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                              Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                              • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                              • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                              • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                              Function 0299F7F3 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0299F844
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1674934767.000000000299C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0299C000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_299c000_ifgewai.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                              • Instruction ID: b51445d199ce5551731ca073558fffae5083ff8de243116cbeef89c13452e0f0
                                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                              • Instruction Fuzzy Hash: 42113C79A00208EFDB01DF99C985E98BBF5AF08351F1580A4F9489B361D371EA50DF80
                                                              Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                              • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                              • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                              • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                              Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                              • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                              • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                              • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                              Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673650791.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Section$CreateDuplicateObjectSleepView
                                                              • String ID:
                                                              • API String ID: 1885482327-0
                                                              • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                              • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                              • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                              • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

                                                              Non-executed Functions

                                                              Function 00417683 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041769A
                                                              • OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 004176B7
                                                              • BuildCommDCBW.KERNEL32(00000000,?), ref: 004176C2
                                                              • LoadLibraryA.KERNEL32(00000000), ref: 004176C9
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673675612.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_40b000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                              • String ID:
                                                              • API String ID: 2043902199-0
                                                              • Opcode ID: 22d375c7685d614c2e767f9d77a3bae846fed0ceaca9cc11a963bcee4c6ddcf9
                                                              • Instruction ID: 6d29e2221a7ece4a59b988d40ef0520643394de3b9c2438902b5b70f558cfcb1
                                                              • Opcode Fuzzy Hash: 22d375c7685d614c2e767f9d77a3bae846fed0ceaca9cc11a963bcee4c6ddcf9
                                                              • Instruction Fuzzy Hash: 3DE03931802628EF87116B65EC488CF7FACFF0A399B408024F40591105DB784A49CFED
                                                              Function 0041753D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(02705280), ref: 00417609
                                                              • GetProcAddress.KERNEL32(00000000,0041D350), ref: 00417646
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673675612.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_40b000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID:
                                                              • API String ID: 1646373207-3916222277
                                                              • Opcode ID: 693097cdd84ba9854c5dbe997ef4c84b1086e9171fec20937db4cb2167ac3d77
                                                              • Instruction ID: 8a04b0f76734d35833049a8315372622441178a3705ed65c29a5cc93e45c5c89
                                                              • Opcode Fuzzy Hash: 693097cdd84ba9854c5dbe997ef4c84b1086e9171fec20937db4cb2167ac3d77
                                                              • Instruction Fuzzy Hash: E53181B5D893C4DCF30187A4B8497B23BA1AF15B04F48842AD954CB2E5D7FA0558CB2F
                                                              Function 004176DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00417722
                                                              • SleepEx.KERNEL32(00000000,00000000), ref: 0041772C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.1673675612.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_40b000_ifgewai.jbxd
                                                              Similarity
                                                              • API ID: ComputerNameSleep
                                                              • String ID: -
                                                              • API String ID: 3354815184-2547889144
                                                              • Opcode ID: f3a38e88802384743aba706b666659164a4336ed23b531bc8a911463ac6589ab
                                                              • Instruction ID: 407a5ef00c5ff8afe7f5b2476c5fd199e6e137efe5b091aef663fa07b76849b8
                                                              • Opcode Fuzzy Hash: f3a38e88802384743aba706b666659164a4336ed23b531bc8a911463ac6589ab
                                                              • Instruction Fuzzy Hash: E101D6B08082189AD7209F68DDC17DABBB8AB08324F5141ADD751A6085CE745ACACF9C

                                                              Execution Graph

                                                              Execution Coverage:1.3%
                                                              Dynamic/Decrypted Code Coverage:20.5%
                                                              Signature Coverage:6.6%
                                                              Total number of Nodes:1629
                                                              Total number of Limit Nodes:110
                                                              execution_graph 145420 44f3c4 145429 44f3cd 145420->145429 145421 44f698 std::runtime_error::runtime_error _strlen 145422 44f6f6 InternetOpenUrlA 145421->145422 145423 44f734 FreeLibrary 145422->145423 145424 44f782 InternetReadFile 145422->145424 145432 44f75f 145423->145432 145425 44f7b2 145424->145425 145426 44f7bb FreeLibrary 145424->145426 145425->145424 145425->145426 145443 454c60 145425->145443 145441 44f82a std::ios_base::failure::failure 145426->145441 145429->145421 145434 44f5c9 145429->145434 145447 441d90 15 API calls 145429->145447 145448 441de0 20 API calls 145429->145448 145430 44f676 145449 4a4870 15 API calls 145430->145449 145431 44f6a0 145450 4a4870 15 API calls 145431->145450 145451 444120 39 API calls task 145432->145451 145434->145430 145434->145431 145440 44f77a 145452 444120 39 API calls task 145441->145452 145444 454ccd 145443->145444 145446 454c80 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 145443->145446 145444->145446 145453 4419b0 145444->145453 145446->145425 145447->145429 145448->145429 145449->145421 145450->145421 145451->145440 145452->145440 145454 4419d0 Concurrency::task_continuation_context::task_continuation_context 145453->145454 145456 4419dd Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145454->145456 145464 453fc0 41 API calls std::_Xinvalid_argument 145454->145464 145461 4413d0 145456->145461 145458 441a16 std::ios_base::failure::failure Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145460 441a89 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 145458->145460 145465 453410 39 API calls allocator 145458->145465 145460->145446 145466 4413b0 145461->145466 145463 4413f0 allocator Concurrency::task_continuation_context::task_continuation_context 145463->145458 145464->145456 145465->145460 145469 454bc0 145466->145469 145470 454bd0 allocator 145469->145470 145473 441370 145470->145473 145474 441378 allocator 145473->145474 145475 441396 145474->145475 145476 441388 145474->145476 145477 441391 145475->145477 145488 453220 145475->145488 145480 441460 145476->145480 145477->145463 145481 441477 145480->145481 145482 44147c 145480->145482 145491 453d80 RaiseException stdext::threads::lock_error::lock_error Concurrency::cancel_current_task 145481->145491 145484 453220 allocator 16 API calls 145482->145484 145486 441485 145484->145486 145487 4414a0 145486->145487 145492 4a458f 39 API calls 2 library calls 145486->145492 145487->145477 145493 49fb05 145488->145493 145491->145482 145495 49fb0a 145493->145495 145496 45322c 145495->145496 145500 49fb26 codecvt 145495->145500 145503 4a4a40 145495->145503 145510 4a7694 EnterCriticalSection LeaveCriticalSection codecvt 145495->145510 145496->145477 145498 4a0371 stdext::threads::lock_error::lock_error 145512 4a106c RaiseException 145498->145512 145500->145498 145511 4a106c RaiseException 145500->145511 145501 4a038e 145508 4aac15 __Getctype 145503->145508 145504 4aac53 145514 4a53de 14 API calls __dosmaperr 145504->145514 145506 4aac3e RtlAllocateHeap 145507 4aac51 145506->145507 145506->145508 145507->145495 145508->145504 145508->145506 145513 4a7694 EnterCriticalSection LeaveCriticalSection codecvt 145508->145513 145510->145495 145511->145498 145512->145501 145513->145508 145514->145507 145515 49fe5f 145516 49fe68 145515->145516 145523 4a013c IsProcessorFeaturePresent 145516->145523 145518 49fe74 145524 4a2f0e 10 API calls 2 library calls 145518->145524 145520 49fe79 145522 49fe7d 145520->145522 145525 4a2f2d 7 API calls 2 library calls 145520->145525 145523->145518 145524->145520 145525->145522 145526 453052 145527 453061 145526->145527 145528 4530ce 145527->145528 145529 45306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 145527->145529 145529->145528 145530 39b21f5 InitializeCriticalSectionAndSpinCount 145529->145530 145531 39b2219 CreateMutexA 145530->145531 145532 39b2214 145530->145532 145533 39b2678 ExitProcess 145531->145533 145534 39b2235 GetLastError 145531->145534 145534->145533 145535 39b2246 145534->145535 145608 39b3bd2 145535->145608 145537 39b264f DeleteCriticalSection 145537->145533 145538 39b2251 145538->145537 145612 39b47e6 145538->145612 145541 39b2647 145543 39b3536 2 API calls 145541->145543 145543->145537 145548 39b22e0 145635 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145548->145635 145550 39b22ef 145636 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145550->145636 145552 39b25df 145701 39b3d76 EnterCriticalSection 145552->145701 145554 39b22fe 145554->145552 145637 39b46d4 GetModuleHandleA 145554->145637 145555 39b25f8 145714 39b3536 145555->145714 145559 39b2360 145559->145552 145640 39b1f2d GetUserDefaultUILanguage 145559->145640 145560 39b3536 2 API calls 145561 39b2610 145560->145561 145563 39b3536 2 API calls 145561->145563 145565 39b261b 145563->145565 145567 39b3536 2 API calls 145565->145567 145566 39b23b4 145566->145532 145569 39b23dd ExitProcess 145566->145569 145572 39b23e5 145566->145572 145570 39b2626 145567->145570 145568 39b46d4 2 API calls 145568->145566 145570->145541 145717 39b536d 145570->145717 145573 39b2412 ExitProcess 145572->145573 145574 39b241a 145572->145574 145575 39b244f 145574->145575 145576 39b2447 ExitProcess 145574->145576 145651 39b4ba2 145575->145651 145584 39b251f 145586 39b35db 11 API calls 145584->145586 145585 39b2532 145729 39b5239 145585->145729 145586->145585 145588 39b2543 145589 39b5239 4 API calls 145588->145589 145590 39b2551 145589->145590 145591 39b5239 4 API calls 145590->145591 145592 39b2561 145591->145592 145593 39b5239 4 API calls 145592->145593 145594 39b2570 145593->145594 145595 39b5239 4 API calls 145594->145595 145596 39b2580 145595->145596 145597 39b5239 4 API calls 145596->145597 145598 39b258f 145597->145598 145733 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145598->145733 145600 39b2599 145601 39b25b2 145600->145601 145602 39b25a2 GetModuleFileNameW 145600->145602 145603 39b5239 4 API calls 145601->145603 145602->145601 145604 39b25cc 145603->145604 145605 39b5239 4 API calls 145604->145605 145606 39b25d7 145605->145606 145607 39b3536 2 API calls 145606->145607 145607->145552 145609 39b3bda 145608->145609 145734 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145609->145734 145611 39b3be5 145611->145538 145613 39b46d4 2 API calls 145612->145613 145615 39b4812 145613->145615 145614 39b2283 145614->145541 145621 39b35db 145614->145621 145615->145614 145616 39b5239 4 API calls 145615->145616 145617 39b4828 145616->145617 145618 39b5239 4 API calls 145617->145618 145619 39b4833 145618->145619 145620 39b5239 4 API calls 145619->145620 145620->145614 145735 39b2c08 145621->145735 145624 39b484b 145625 39b4860 VirtualAlloc 145624->145625 145628 39b22c4 145624->145628 145626 39b487f 145625->145626 145625->145628 145627 39b46d4 2 API calls 145626->145627 145629 39b48a1 145627->145629 145628->145541 145634 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145628->145634 145629->145628 145630 39b48d0 GetCurrentProcess IsWow64Process 145629->145630 145632 39b5239 4 API calls 145630->145632 145633 39b48fa 145632->145633 145633->145628 145634->145548 145635->145550 145636->145554 145638 39b46f2 LoadLibraryA 145637->145638 145639 39b46ff 145637->145639 145638->145639 145639->145559 145641 39b1fa0 145640->145641 145642 39b35db 11 API calls 145641->145642 145643 39b1fd8 145642->145643 145644 39b35db 11 API calls 145643->145644 145645 39b1fe7 GetKeyboardLayoutList 145644->145645 145646 39b2042 145645->145646 145647 39b2001 145645->145647 145648 39b35db 11 API calls 145646->145648 145647->145646 145650 39b35db 11 API calls 145647->145650 145649 39b204e 145648->145649 145649->145566 145649->145568 145650->145647 145652 39b4bb8 145651->145652 145653 39b2468 CreateThread CreateThread WaitForMultipleObjects 145651->145653 145654 39b46d4 2 API calls 145652->145654 145678 39b19df 145653->145678 145908 39b519f 145653->145908 145916 39b1d3c 145653->145916 145655 39b4be9 145654->145655 145655->145653 145656 39b46d4 2 API calls 145655->145656 145657 39b4bfe 145656->145657 145657->145653 145658 39b4c06 KiUserCallbackDispatcher GetSystemMetrics 145657->145658 145659 39b4c2b 145658->145659 145660 39b4c51 GetDC 145659->145660 145660->145653 145661 39b4c65 GetCurrentObject 145660->145661 145662 39b4c78 GetObjectW 145661->145662 145663 39b4e17 ReleaseDC 145661->145663 145662->145663 145664 39b4c8f 145662->145664 145663->145653 145665 39b35db 11 API calls 145664->145665 145666 39b4caf DeleteObject CreateCompatibleDC 145665->145666 145666->145663 145667 39b4d24 CreateDIBSection 145666->145667 145668 39b4e10 DeleteDC 145667->145668 145669 39b4d45 SelectObject 145667->145669 145668->145663 145670 39b4e09 DeleteObject 145669->145670 145671 39b4d55 BitBlt 145669->145671 145670->145668 145671->145670 145672 39b4d7a 145671->145672 145750 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145672->145750 145674 39b4d85 145674->145670 145675 39b3d76 10 API calls 145674->145675 145676 39b4dfe 145675->145676 145677 39b3536 2 API calls 145676->145677 145677->145670 145679 39b19ed 145678->145679 145683 39b1a26 145678->145683 145681 39b1a09 145679->145681 145751 39b1000 145679->145751 145682 39b1000 53 API calls 145681->145682 145681->145683 145682->145683 145684 39b2054 145683->145684 145903 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145684->145903 145686 39b2103 GetCurrentHwProfileA 145687 39b212d GetSystemInfo 145686->145687 145688 39b2117 145686->145688 145690 39b35db 11 API calls 145687->145690 145689 39b35db 11 API calls 145688->145689 145692 39b212a 145689->145692 145693 39b214f 145690->145693 145691 39b2079 145691->145686 145692->145687 145694 39b3536 2 API calls 145693->145694 145695 39b2159 GlobalMemoryStatusEx 145694->145695 145696 39b35db 11 API calls 145695->145696 145699 39b2188 145696->145699 145697 39b21db EnumDisplayDevicesA 145698 39b21ee ObtainUserAgentString 145697->145698 145697->145699 145698->145584 145698->145585 145699->145697 145700 39b35db 11 API calls 145699->145700 145700->145699 145702 39b3ea4 LeaveCriticalSection 145701->145702 145703 39b3d98 145701->145703 145702->145555 145703->145702 145904 39b3d1c 6 API calls 145703->145904 145705 39b3dc1 145705->145702 145905 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145705->145905 145707 39b3dec 145906 39b6c7f EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145707->145906 145709 39b3df6 145710 39b3536 2 API calls 145709->145710 145711 39b3e4f 145710->145711 145712 39b3536 2 API calls 145711->145712 145713 39b3e9f 145712->145713 145713->145702 145715 39b2605 145714->145715 145716 39b353a GetProcessHeap RtlFreeHeap 145714->145716 145715->145560 145716->145715 145718 39b46d4 2 API calls 145717->145718 145719 39b53f0 145718->145719 145720 39b546d socket 145719->145720 145728 39b53f8 145719->145728 145721 39b5491 145720->145721 145720->145728 145722 39b54b1 connect 145721->145722 145721->145728 145723 39b54c8 send 145722->145723 145724 39b5517 Sleep 145722->145724 145723->145724 145725 39b54ea send 145723->145725 145724->145721 145725->145724 145726 39b5506 145725->145726 145727 39b3536 2 API calls 145726->145727 145727->145728 145728->145570 145730 39b525c 145729->145730 145731 39b5288 145729->145731 145730->145731 145907 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145730->145907 145731->145588 145733->145600 145734->145611 145736 39b2c18 145735->145736 145746 39b2c26 145735->145746 145747 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145736->145747 145738 39b2c76 145739 39b22a9 145738->145739 145749 39b51f6 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145738->145749 145739->145624 145741 39b3036 145742 39b3536 2 API calls 145741->145742 145742->145739 145744 39b2e29 WideCharToMultiByte 145744->145746 145745 39b2eb1 WideCharToMultiByte 145745->145746 145746->145738 145746->145744 145746->145745 145748 39b2991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145746->145748 145747->145746 145748->145746 145749->145741 145750->145674 145752 39b101e 145751->145752 145753 39b1412 145751->145753 145752->145753 145787 39b407d GetFileAttributesW 145752->145787 145753->145681 145755 39b1035 145755->145753 145788 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145755->145788 145757 39b1049 145789 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145757->145789 145759 39b1052 145765 39b13d5 145759->145765 145790 39b3600 145759->145790 145760 39b3536 2 API calls 145761 39b140b 145760->145761 145763 39b3536 2 API calls 145761->145763 145763->145753 145765->145760 145767 39b3600 7 API calls 145768 39b1173 145767->145768 145768->145765 145768->145767 145769 39b3eb6 41 API calls 145768->145769 145775 39b1662 EnterCriticalSection 145768->145775 145776 39b3536 GetProcessHeap RtlFreeHeap 145768->145776 145780 39b3d76 10 API calls 145768->145780 145782 39b1389 145768->145782 145785 39b1000 50 API calls 145768->145785 145793 39b446c 145768->145793 145825 39b369c 145768->145825 145829 39b1a62 145768->145829 145837 39b1c94 145768->145837 145844 39b1ba5 145768->145844 145880 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145768->145880 145769->145768 145770 39b40ba 14 API calls 145770->145782 145855 39b4e27 145775->145855 145776->145768 145780->145768 145782->145768 145782->145770 145783 39b3600 7 API calls 145782->145783 145784 39b3efc 42 API calls 145782->145784 145847 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145782->145847 145848 39b3eb6 145782->145848 145783->145782 145784->145782 145785->145768 145787->145755 145788->145757 145789->145759 145881 39b3084 145790->145881 145890 39b407d GetFileAttributesW 145793->145890 145795 39b447e 145796 39b46cd 145795->145796 145891 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145795->145891 145796->145768 145798 39b4494 145799 39b46c5 145798->145799 145801 39b3600 7 API calls 145798->145801 145800 39b3536 2 API calls 145799->145800 145800->145796 145802 39b44b1 145801->145802 145803 39b44cf EnterCriticalSection 145802->145803 145804 39b4539 LeaveCriticalSection 145803->145804 145805 39b459b 145804->145805 145806 39b4552 145804->145806 145805->145799 145807 39b45be EnterCriticalSection 145805->145807 145806->145805 145808 39b456f 145806->145808 145810 39b45f5 LeaveCriticalSection 145807->145810 145893 39b42ec 21 API calls 145808->145893 145812 39b460d 145810->145812 145813 39b4691 EnterCriticalSection 145810->145813 145811 39b4574 145811->145805 145814 39b4578 145811->145814 145892 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145812->145892 145817 39b46ba LeaveCriticalSection 145813->145817 145816 39b3536 2 API calls 145814->145816 145819 39b4580 145816->145819 145817->145799 145818 39b4617 145818->145813 145822 39b4634 EnterCriticalSection 145818->145822 145820 39b446c 29 API calls 145819->145820 145821 39b4594 145820->145821 145821->145796 145823 39b4675 LeaveCriticalSection 145822->145823 145823->145813 145824 39b4689 145823->145824 145824->145813 145826 39b36b0 145825->145826 145828 39b36b4 145826->145828 145894 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145826->145894 145828->145768 145830 39b1a7a 145829->145830 145833 39b1a7f 145829->145833 145895 39b1a2d EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145830->145895 145832 39b1a84 145832->145768 145833->145832 145896 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145833->145896 145836 39b1ab3 145836->145832 145897 39b1a4f GetProcessHeap RtlFreeHeap 145836->145897 145838 39b46d4 2 API calls 145837->145838 145839 39b1ccd 145838->145839 145840 39b1cdd CryptUnprotectData 145839->145840 145841 39b1cfa 145839->145841 145840->145841 145842 39b1d05 145840->145842 145841->145768 145842->145841 145843 39b1d0c CryptProtectData 145842->145843 145843->145841 145898 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145844->145898 145846 39b1bcb 145846->145768 145847->145782 145849 39b446c 37 API calls 145848->145849 145850 39b3ecc 145849->145850 145852 39b3d76 10 API calls 145850->145852 145854 39b3eeb 145850->145854 145851 39b3536 2 API calls 145853 39b3ef4 145851->145853 145852->145854 145853->145782 145854->145851 145856 39b4e49 145855->145856 145857 39b4e8a 145855->145857 145858 39b3600 7 API calls 145856->145858 145865 39b167e LeaveCriticalSection 145857->145865 145899 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145857->145899 145860 39b4e80 145858->145860 145901 39b407d GetFileAttributesW 145860->145901 145861 39b4eaa 145900 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145861->145900 145864 39b4eb4 145866 39b3600 7 API calls 145864->145866 145865->145768 145867 39b4ec2 FindFirstFileW 145866->145867 145868 39b5183 145867->145868 145874 39b4edf 145867->145874 145869 39b3536 2 API calls 145868->145869 145870 39b518a 145869->145870 145871 39b3536 2 API calls 145870->145871 145871->145865 145872 39b3eb6 41 API calls 145872->145874 145873 39b3600 7 API calls 145873->145874 145874->145868 145874->145872 145874->145873 145875 39b4f84 EnterCriticalSection 145874->145875 145879 39b4e27 41 API calls 145874->145879 145902 39b407d GetFileAttributesW 145874->145902 145877 39b4e27 41 API calls 145875->145877 145878 39b4f9f LeaveCriticalSection 145877->145878 145878->145874 145879->145874 145880->145768 145887 39b3090 145881->145887 145882 39b1156 FindFirstFileW 145882->145765 145882->145768 145884 39b329d IsDBCSLeadByte 145885 39b32aa MultiByteToWideChar 145884->145885 145884->145887 145885->145887 145886 39b3308 IsDBCSLeadByte 145886->145887 145887->145882 145887->145884 145887->145886 145888 39b3329 MultiByteToWideChar 145887->145888 145889 39b2991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145887->145889 145888->145887 145889->145887 145890->145795 145891->145798 145892->145818 145893->145811 145894->145828 145895->145833 145896->145836 145897->145832 145898->145846 145899->145861 145900->145864 145901->145857 145902->145874 145903->145691 145904->145705 145905->145707 145906->145709 145907->145730 145909 39b51ee 145908->145909 145910 39b51ad 145908->145910 145931 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145910->145931 145912 39b51b7 145913 39b4e27 44 API calls 145912->145913 145914 39b51e7 145912->145914 145913->145912 145915 39b3536 2 API calls 145914->145915 145915->145909 145917 39b1f25 145916->145917 145918 39b1d54 145916->145918 145918->145917 145919 39b3600 7 API calls 145918->145919 145920 39b1d75 FindFirstFileW 145919->145920 145920->145917 145921 39b1d94 145920->145921 145932 39b3508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145921->145932 145923 39b3600 7 API calls 145924 39b1d9e 145923->145924 145924->145923 145925 39b1f1c 145924->145925 145928 39b3536 2 API calls 145924->145928 145929 39b1d3c 41 API calls 145924->145929 145930 39b3eb6 41 API calls 145924->145930 145933 39b408d 145924->145933 145926 39b3536 2 API calls 145925->145926 145926->145917 145928->145924 145929->145924 145930->145924 145931->145912 145932->145924 145935 39b4095 145933->145935 145934 39b40a7 145934->145924 145935->145934 145938 39b3657 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145935->145938 145937 39b40b7 145937->145924 145938->145937 145939 49c900 145946 443200 145939->145946 145941 49c9a0 145953 444120 39 API calls task 145941->145953 145943 49c9fb 145944 49c937 std::runtime_error::runtime_error 145944->145941 145950 49c8c0 145944->145950 145947 443231 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 145946->145947 145954 4414f0 145947->145954 145949 44325a 145949->145944 145961 49ca80 145950->145961 145952 49c8d4 145952->145944 145953->145943 145955 441507 Concurrency::task_continuation_context::task_continuation_context 145954->145955 145956 441511 std::ios_base::failure::failure Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145955->145956 145960 453fc0 41 API calls std::_Xinvalid_argument 145955->145960 145958 4413d0 Concurrency::task_continuation_context::task_continuation_context 41 API calls 145956->145958 145959 441539 Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145956->145959 145958->145959 145959->145949 145960->145956 145962 49cae4 145961->145962 145964 49ca9d Concurrency::task_continuation_context::task_continuation_context 145961->145964 145965 49c700 145962->145965 145964->145952 145966 49c720 Concurrency::task_continuation_context::task_continuation_context 145965->145966 145968 49c72d Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145966->145968 145973 453fc0 41 API calls std::_Xinvalid_argument 145966->145973 145969 4413d0 Concurrency::task_continuation_context::task_continuation_context 41 API calls 145968->145969 145970 49c766 Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145969->145970 145972 49c7d6 Concurrency::task_continuation_context::task_continuation_context 145970->145972 145974 453410 39 API calls allocator 145970->145974 145972->145964 145973->145968 145974->145972 145975 44e6ee 145978 44e6fd 145975->145978 145976 44e9dd 145977 44ea38 InternetOpenA 145976->145977 145988 44ea57 145977->145988 145978->145976 145983 44e908 145978->145983 146034 441d90 15 API calls 145978->146034 146035 441de0 20 API calls 145978->146035 145980 44ed23 145997 44ef66 145980->145997 146004 44f036 145980->146004 146042 441d90 15 API calls 145980->146042 146043 441de0 20 API calls 145980->146043 145981 44e9e5 146037 4a4870 15 API calls 145981->146037 145982 44e9bb 146036 4a4870 15 API calls 145982->146036 145983->145981 145983->145982 145985 44f074 FreeLibrary 145989 44f086 145985->145989 145988->145980 145991 44ec53 145988->145991 146038 441d90 15 API calls 145988->146038 146039 441de0 20 API calls 145988->146039 145992 44ed01 145991->145992 145993 44ed2b 145991->145993 146040 4a4870 15 API calls 145992->146040 146041 4a4870 15 API calls 145993->146041 145999 44f014 145997->145999 146000 44f03e 145997->146000 146044 4a4870 15 API calls 145999->146044 146045 4a4870 15 API calls 146000->146045 146004->145985 146018 44f097 146004->146018 146005 44f2a5 146009 44f352 146005->146009 146010 44f37c 146005->146010 146006 44f698 std::runtime_error::runtime_error _strlen 146008 44f6f6 InternetOpenUrlA 146006->146008 146011 44f734 FreeLibrary 146008->146011 146012 44f782 InternetReadFile 146008->146012 146048 4a4870 15 API calls 146009->146048 146049 4a4870 15 API calls 146010->146049 146023 44f75f 146011->146023 146016 44f7b2 146012->146016 146017 44f7bb FreeLibrary 146012->146017 146016->146012 146016->146017 146024 454c60 std::ios_base::failure::failure 41 API calls 146016->146024 146032 44f82a std::ios_base::failure::failure 146017->146032 146018->146005 146031 44f374 146018->146031 146046 441d90 15 API calls 146018->146046 146047 441de0 20 API calls 146018->146047 146021 44f676 146052 4a4870 15 API calls 146021->146052 146022 44f6a0 146053 4a4870 15 API calls 146022->146053 146054 444120 39 API calls task 146023->146054 146024->146016 146025 44f5c9 146025->146021 146025->146022 146031->146006 146031->146025 146050 441d90 15 API calls 146031->146050 146051 441de0 20 API calls 146031->146051 146055 444120 39 API calls task 146032->146055 146034->145978 146035->145978 146036->145976 146037->145976 146038->145988 146039->145988 146040->145980 146041->145980 146042->145980 146043->145980 146044->146004 146045->146004 146046->146018 146047->146018 146048->146031 146049->146031 146050->146031 146051->146031 146052->146006 146053->146006 146054->145989 146055->145989 146056 455d29 146066 455d32 146056->146066 146057 455f2e 146059 456006 146057->146059 146060 455fdc 146057->146060 146331 4a4870 15 API calls 146059->146331 146330 4a4870 15 API calls 146060->146330 146065 456250 146067 456327 146065->146067 146068 4562fd 146065->146068 146066->146057 146077 455ffe 146066->146077 146328 441d90 15 API calls 146066->146328 146329 441de0 20 API calls 146066->146329 146335 4a4870 15 API calls 146067->146335 146334 4a4870 15 API calls 146068->146334 146070 456562 146074 45660f 146070->146074 146075 456639 146070->146075 146338 4a4870 15 API calls 146074->146338 146339 4a4870 15 API calls 146075->146339 146077->146065 146093 45631f 146077->146093 146299 45c4b7 146077->146299 146332 441d90 15 API calls 146077->146332 146333 441de0 20 API calls 146077->146333 146080 456880 146084 45692e 146080->146084 146085 456958 146080->146085 146081 457298 146117 4574e7 146081->146117 146123 4575b7 146081->146123 146356 441d90 15 API calls 146081->146356 146357 441de0 20 API calls 146081->146357 146083 456631 146083->146080 146089 456950 146083->146089 146340 441d90 15 API calls 146083->146340 146341 441de0 20 API calls 146083->146341 146342 4a4870 15 API calls 146084->146342 146343 4a4870 15 API calls 146085->146343 146087 456c63 146099 456eb7 146087->146099 146102 456f86 146087->146102 146348 441d90 15 API calls 146087->146348 146349 441de0 20 API calls 146087->146349 146089->146087 146092 456b93 146089->146092 146344 441d90 15 API calls 146089->146344 146345 441de0 20 API calls 146089->146345 146094 456c41 146092->146094 146095 456c6b 146092->146095 146093->146070 146093->146083 146336 441d90 15 API calls 146093->146336 146337 441de0 20 API calls 146093->146337 146346 4a4870 15 API calls 146094->146346 146347 4a4870 15 API calls 146095->146347 146096 4571c9 146109 457276 146096->146109 146110 4572a0 146096->146110 146103 456f64 146099->146103 146104 456f8e 146099->146104 146102->146081 146102->146096 146352 441d90 15 API calls 146102->146352 146353 441de0 20 API calls 146102->146353 146350 4a4870 15 API calls 146103->146350 146351 4a4870 15 API calls 146104->146351 146354 4a4870 15 API calls 146109->146354 146355 4a4870 15 API calls 146110->146355 146115 457595 146358 4a4870 15 API calls 146115->146358 146116 4575bf 146359 4a4870 15 API calls 146116->146359 146117->146115 146117->146116 146121 4577fa 146124 4578d2 146121->146124 146125 4578a8 146121->146125 146123->146121 146142 4578ca 146123->146142 146360 441d90 15 API calls 146123->146360 146361 441de0 20 API calls 146123->146361 146363 4a4870 15 API calls 146124->146363 146362 4a4870 15 API calls 146125->146362 146127 457b0d 146131 457be5 146127->146131 146132 457bbb 146127->146132 146367 4a4870 15 API calls 146131->146367 146366 4a4870 15 API calls 146132->146366 146134 457e20 146139 457ece 146134->146139 146140 457ef8 146134->146140 146138 458b71 VirtualAlloc 146198 458ba8 146138->146198 146370 4a4870 15 API calls 146139->146370 146371 4a4870 15 API calls 146140->146371 146142->146127 146149 457bdd 146142->146149 146364 441d90 15 API calls 146142->146364 146365 441de0 20 API calls 146142->146365 146146 458133 146147 4581e1 146146->146147 146148 45820b 146146->146148 146374 4a4870 15 API calls 146147->146374 146375 4a4870 15 API calls 146148->146375 146149->146134 146160 457ef0 146149->146160 146368 441d90 15 API calls 146149->146368 146369 441de0 20 API calls 146149->146369 146153 458446 146155 4584f4 146153->146155 146156 45851e 146153->146156 146378 4a4870 15 API calls 146155->146378 146379 4a4870 15 API calls 146156->146379 146158 458759 146163 458807 146158->146163 146164 458831 146158->146164 146160->146146 146168 458203 146160->146168 146372 441d90 15 API calls 146160->146372 146373 441de0 20 API calls 146160->146373 146382 4a4870 15 API calls 146163->146382 146383 4a4870 15 API calls 146164->146383 146166 458a6c 146172 458b44 146166->146172 146173 458b1a 146166->146173 146168->146153 146176 458516 146168->146176 146376 441d90 15 API calls 146168->146376 146377 441de0 20 API calls 146168->146377 146171 4597c2 146187 459815 VirtualAlloc 146171->146187 146227 45985a 146171->146227 146387 4a4870 15 API calls 146172->146387 146386 4a4870 15 API calls 146173->146386 146174 458db3 146180 458e67 146174->146180 146181 458e91 146174->146181 146176->146158 146183 458829 146176->146183 146380 441d90 15 API calls 146176->146380 146381 441de0 20 API calls 146176->146381 146390 4a4870 15 API calls 146180->146390 146391 4a4870 15 API calls 146181->146391 146182 458b3c 146182->146138 146183->146138 146183->146166 146384 441d90 15 API calls 146183->146384 146385 441de0 20 API calls 146183->146385 146190 45983f 146187->146190 146187->146227 146188 4590cc 146191 4591a4 146188->146191 146192 45917a 146188->146192 146404 4a106c RaiseException 146190->146404 146395 4a4870 15 API calls 146191->146395 146394 4a4870 15 API calls 146192->146394 146195 4593df 146200 4594b7 146195->146200 146201 45948d 146195->146201 146198->146174 146205 458e89 146198->146205 146388 441d90 15 API calls 146198->146388 146389 441de0 20 API calls 146198->146389 146399 4a4870 15 API calls 146200->146399 146398 4a4870 15 API calls 146201->146398 146203 4596f2 146208 4597a0 146203->146208 146209 4597ca 146203->146209 146205->146188 146211 45919c 146205->146211 146392 441d90 15 API calls 146205->146392 146393 441de0 20 API calls 146205->146393 146402 4a4870 15 API calls 146208->146402 146403 4a4870 15 API calls 146209->146403 146211->146195 146214 4594af 146211->146214 146396 441d90 15 API calls 146211->146396 146397 441de0 20 API calls 146211->146397 146214->146171 146214->146203 146400 441d90 15 API calls 146214->146400 146401 441de0 20 API calls 146214->146401 146216 459a68 146217 459b16 146216->146217 146218 459b40 146216->146218 146407 4a4870 15 API calls 146217->146407 146408 4a4870 15 API calls 146218->146408 146223 459e53 146412 4a4870 15 API calls 146223->146412 146224 459e29 146411 4a4870 15 API calls 146224->146411 146225 459d7b 146225->146223 146225->146224 146227->146216 146237 459b38 146227->146237 146405 441d90 15 API calls 146227->146405 146406 441de0 20 API calls 146227->146406 146230 45a09a 146232 45a172 146230->146232 146233 45a148 146230->146233 146416 4a4870 15 API calls 146232->146416 146415 4a4870 15 API calls 146233->146415 146235 45a3ad 146240 45a485 146235->146240 146241 45a45b 146235->146241 146237->146225 146245 459e4b 146237->146245 146409 441d90 15 API calls 146237->146409 146410 441de0 20 API calls 146237->146410 146420 4a4870 15 API calls 146240->146420 146419 4a4870 15 API calls 146241->146419 146243 45a6ca 146248 45a7a2 146243->146248 146249 45a778 146243->146249 146245->146230 146252 45a16a 146245->146252 146413 441d90 15 API calls 146245->146413 146414 441de0 20 API calls 146245->146414 146424 4a4870 15 API calls 146248->146424 146423 4a4870 15 API calls 146249->146423 146250 45a9dd 146256 45aab5 146250->146256 146257 45aa8b 146250->146257 146252->146235 146258 45a47d 146252->146258 146417 441d90 15 API calls 146252->146417 146418 441de0 20 API calls 146252->146418 146428 4a4870 15 API calls 146256->146428 146427 4a4870 15 API calls 146257->146427 146258->146243 146269 45a79a 146258->146269 146421 441d90 15 API calls 146258->146421 146422 441de0 20 API calls 146258->146422 146262 45ad04 146264 45adb2 146262->146264 146265 45addc 146262->146265 146431 4a4870 15 API calls 146264->146431 146432 4a4870 15 API calls 146265->146432 146267 45b017 146272 45b0c5 146267->146272 146273 45b0ef 146267->146273 146269->146250 146277 45aaad 146269->146277 146425 441d90 15 API calls 146269->146425 146426 441de0 20 API calls 146269->146426 146435 4a4870 15 API calls 146272->146435 146436 4a4870 15 API calls 146273->146436 146275 45b336 146280 45b3e4 146275->146280 146281 45b40e 146275->146281 146277->146262 146284 45add4 146277->146284 146429 441d90 15 API calls 146277->146429 146430 441de0 20 API calls 146277->146430 146439 4a4870 15 API calls 146280->146439 146440 4a4870 15 API calls 146281->146440 146282 45b661 146288 45b715 146282->146288 146289 45b73f 146282->146289 146284->146267 146290 45b0e7 146284->146290 146433 441d90 15 API calls 146284->146433 146434 441de0 20 API calls 146284->146434 146443 4a4870 15 API calls 146288->146443 146444 4a4870 15 API calls 146289->146444 146290->146275 146296 45b406 146290->146296 146437 441d90 15 API calls 146290->146437 146438 441de0 20 API calls 146290->146438 146295 45b9af 146297 45ba63 146295->146297 146298 45ba8d 146295->146298 146296->146282 146305 45b737 codecvt 146296->146305 146441 441d90 15 API calls 146296->146441 146442 441de0 20 API calls 146296->146442 146447 4a4870 15 API calls 146297->146447 146448 4a4870 15 API calls 146298->146448 146303 45bce0 146306 45bd94 146303->146306 146307 45bdbe 146303->146307 146305->146295 146313 45ba85 146305->146313 146445 441d90 15 API calls 146305->146445 146446 441de0 20 API calls 146305->146446 146451 4a4870 15 API calls 146306->146451 146452 4a4870 15 API calls 146307->146452 146312 45c0b2 146314 45c165 146312->146314 146315 45c18f 146312->146315 146313->146303 146324 45bdb6 codecvt 146313->146324 146449 441d90 15 API calls 146313->146449 146450 441de0 20 API calls 146313->146450 146455 4a4870 15 API calls 146314->146455 146456 4a4870 15 API calls 146315->146456 146317 45c3e2 146321 45c495 146317->146321 146322 45c4bf 146317->146322 146459 4a4870 15 API calls 146321->146459 146460 4a4870 15 API calls 146322->146460 146324->146312 146327 45c187 146324->146327 146453 441d90 15 API calls 146324->146453 146454 441de0 20 API calls 146324->146454 146327->146299 146327->146317 146457 441d90 15 API calls 146327->146457 146458 441de0 20 API calls 146327->146458 146328->146066 146329->146066 146330->146077 146331->146077 146332->146077 146333->146077 146334->146093 146335->146093 146336->146093 146337->146093 146338->146083 146339->146083 146340->146083 146341->146083 146342->146089 146343->146089 146344->146089 146345->146089 146346->146087 146347->146087 146348->146087 146349->146087 146350->146102 146351->146102 146352->146102 146353->146102 146354->146081 146355->146081 146356->146081 146357->146081 146358->146123 146359->146123 146360->146123 146361->146123 146362->146142 146363->146142 146364->146142 146365->146142 146366->146149 146367->146149 146368->146149 146369->146149 146370->146160 146371->146160 146372->146160 146373->146160 146374->146168 146375->146168 146376->146168 146377->146168 146378->146176 146379->146176 146380->146176 146381->146176 146382->146183 146383->146183 146384->146183 146385->146183 146386->146182 146387->146182 146388->146198 146389->146198 146390->146205 146391->146205 146392->146205 146393->146205 146394->146211 146395->146211 146396->146211 146397->146211 146398->146214 146399->146214 146400->146214 146401->146214 146402->146171 146403->146171 146404->146227 146405->146227 146406->146227 146407->146237 146408->146237 146409->146237 146410->146237 146411->146245 146412->146245 146413->146245 146414->146245 146415->146252 146416->146252 146417->146252 146418->146252 146419->146258 146420->146258 146421->146258 146422->146258 146423->146269 146424->146269 146425->146269 146426->146269 146427->146277 146428->146277 146429->146277 146430->146277 146431->146284 146432->146284 146433->146284 146434->146284 146435->146290 146436->146290 146437->146290 146438->146290 146439->146296 146440->146296 146441->146296 146442->146296 146443->146305 146444->146305 146445->146305 146446->146305 146447->146313 146448->146313 146449->146313 146450->146313 146451->146324 146452->146324 146453->146324 146454->146324 146455->146327 146456->146327 146457->146327 146458->146327 146459->146299 146460->146299 146461 467eea 146462 458b77 VirtualAlloc 146461->146462 146463 467ef2 146461->146463 146476 458ba8 146462->146476 146464 4597c2 146470 459815 VirtualAlloc 146464->146470 146512 45985a 146464->146512 146465 458db3 146467 458e67 146465->146467 146468 458e91 146465->146468 146615 4a4870 15 API calls 146467->146615 146616 4a4870 15 API calls 146468->146616 146474 45983f 146470->146474 146470->146512 146629 4a106c RaiseException 146474->146629 146475 4590cc 146477 4591a4 146475->146477 146478 45917a 146475->146478 146476->146465 146488 458e89 146476->146488 146613 441d90 15 API calls 146476->146613 146614 441de0 20 API calls 146476->146614 146620 4a4870 15 API calls 146477->146620 146619 4a4870 15 API calls 146478->146619 146480 4593df 146485 4594b7 146480->146485 146486 45948d 146480->146486 146624 4a4870 15 API calls 146485->146624 146623 4a4870 15 API calls 146486->146623 146488->146475 146497 45919c 146488->146497 146617 441d90 15 API calls 146488->146617 146618 441de0 20 API calls 146488->146618 146491 4596f2 146493 4597a0 146491->146493 146494 4597ca 146491->146494 146627 4a4870 15 API calls 146493->146627 146628 4a4870 15 API calls 146494->146628 146497->146480 146499 4594af 146497->146499 146621 441d90 15 API calls 146497->146621 146622 441de0 20 API calls 146497->146622 146499->146464 146499->146491 146625 441d90 15 API calls 146499->146625 146626 441de0 20 API calls 146499->146626 146501 459a68 146502 459b16 146501->146502 146503 459b40 146501->146503 146632 4a4870 15 API calls 146502->146632 146633 4a4870 15 API calls 146503->146633 146508 459e53 146637 4a4870 15 API calls 146508->146637 146509 459e29 146636 4a4870 15 API calls 146509->146636 146510 459d7b 146510->146508 146510->146509 146512->146501 146522 459b38 146512->146522 146630 441d90 15 API calls 146512->146630 146631 441de0 20 API calls 146512->146631 146515 45a09a 146517 45a172 146515->146517 146518 45a148 146515->146518 146641 4a4870 15 API calls 146517->146641 146640 4a4870 15 API calls 146518->146640 146520 45a3ad 146525 45a485 146520->146525 146526 45a45b 146520->146526 146522->146510 146529 459e4b 146522->146529 146634 441d90 15 API calls 146522->146634 146635 441de0 20 API calls 146522->146635 146645 4a4870 15 API calls 146525->146645 146644 4a4870 15 API calls 146526->146644 146529->146515 146537 45a16a 146529->146537 146638 441d90 15 API calls 146529->146638 146639 441de0 20 API calls 146529->146639 146532 45a6ca 146533 45a7a2 146532->146533 146534 45a778 146532->146534 146649 4a4870 15 API calls 146533->146649 146648 4a4870 15 API calls 146534->146648 146535 45a9dd 146541 45aab5 146535->146541 146542 45aa8b 146535->146542 146537->146520 146543 45a47d 146537->146543 146642 441d90 15 API calls 146537->146642 146643 441de0 20 API calls 146537->146643 146653 4a4870 15 API calls 146541->146653 146652 4a4870 15 API calls 146542->146652 146543->146532 146554 45a79a 146543->146554 146646 441d90 15 API calls 146543->146646 146647 441de0 20 API calls 146543->146647 146547 45ad04 146549 45adb2 146547->146549 146550 45addc 146547->146550 146656 4a4870 15 API calls 146549->146656 146657 4a4870 15 API calls 146550->146657 146552 45b017 146557 45b0c5 146552->146557 146558 45b0ef 146552->146558 146554->146535 146561 45aaad 146554->146561 146650 441d90 15 API calls 146554->146650 146651 441de0 20 API calls 146554->146651 146660 4a4870 15 API calls 146557->146660 146661 4a4870 15 API calls 146558->146661 146561->146547 146569 45add4 146561->146569 146654 441d90 15 API calls 146561->146654 146655 441de0 20 API calls 146561->146655 146564 45b336 146565 45b3e4 146564->146565 146566 45b40e 146564->146566 146664 4a4870 15 API calls 146565->146664 146665 4a4870 15 API calls 146566->146665 146567 45b661 146573 45b715 146567->146573 146574 45b73f 146567->146574 146569->146552 146575 45b0e7 146569->146575 146658 441d90 15 API calls 146569->146658 146659 441de0 20 API calls 146569->146659 146668 4a4870 15 API calls 146573->146668 146669 4a4870 15 API calls 146574->146669 146575->146564 146581 45b406 146575->146581 146662 441d90 15 API calls 146575->146662 146663 441de0 20 API calls 146575->146663 146580 45b9af 146582 45ba63 146580->146582 146583 45ba8d 146580->146583 146581->146567 146590 45b737 codecvt 146581->146590 146666 441d90 15 API calls 146581->146666 146667 441de0 20 API calls 146581->146667 146672 4a4870 15 API calls 146582->146672 146673 4a4870 15 API calls 146583->146673 146584 45c4b7 146589 45bce0 146591 45bd94 146589->146591 146592 45bdbe 146589->146592 146590->146580 146598 45ba85 146590->146598 146670 441d90 15 API calls 146590->146670 146671 441de0 20 API calls 146590->146671 146676 4a4870 15 API calls 146591->146676 146677 4a4870 15 API calls 146592->146677 146597 45c0b2 146599 45c165 146597->146599 146600 45c18f 146597->146600 146598->146589 146609 45bdb6 codecvt 146598->146609 146674 441d90 15 API calls 146598->146674 146675 441de0 20 API calls 146598->146675 146680 4a4870 15 API calls 146599->146680 146681 4a4870 15 API calls 146600->146681 146602 45c3e2 146606 45c495 146602->146606 146607 45c4bf 146602->146607 146684 4a4870 15 API calls 146606->146684 146685 4a4870 15 API calls 146607->146685 146609->146597 146612 45c187 146609->146612 146678 441d90 15 API calls 146609->146678 146679 441de0 20 API calls 146609->146679 146612->146584 146612->146602 146682 441d90 15 API calls 146612->146682 146683 441de0 20 API calls 146612->146683 146613->146476 146614->146476 146615->146488 146616->146488 146617->146488 146618->146488 146619->146497 146620->146497 146621->146497 146622->146497 146623->146499 146624->146499 146625->146499 146626->146499 146627->146464 146628->146464 146629->146512 146630->146512 146631->146512 146632->146522 146633->146522 146634->146522 146635->146522 146636->146529 146637->146529 146638->146529 146639->146529 146640->146537 146641->146537 146642->146537 146643->146537 146644->146543 146645->146543 146646->146543 146647->146543 146648->146554 146649->146554 146650->146554 146651->146554 146652->146561 146653->146561 146654->146561 146655->146561 146656->146569 146657->146569 146658->146569 146659->146569 146660->146575 146661->146575 146662->146575 146663->146575 146664->146581 146665->146581 146666->146581 146667->146581 146668->146590 146669->146590 146670->146590 146671->146590 146672->146598 146673->146598 146674->146598 146675->146598 146676->146609 146677->146609 146678->146609 146679->146609 146680->146612 146681->146612 146682->146612 146683->146612 146684->146584 146685->146584 146686 49fca5 146692 49fcb9 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 146686->146692 146687 49fcbf 146688 49fd40 146708 4a05aa 146688->146708 146692->146687 146692->146688 146717 4a762e 39 API calls 4 library calls 146692->146717 146694 49fd4e 146695 49fd5b 146694->146695 146718 4a05e0 GetModuleHandleW 146695->146718 146697 49fd62 146698 49fdd0 146697->146698 146699 49fd66 146697->146699 146721 4a81b7 21 API calls std::locale::_Setgloballocale 146698->146721 146701 49fd6f 146699->146701 146719 4a816c 21 API calls std::locale::_Setgloballocale 146699->146719 146720 49ffd0 75 API calls ___scrt_uninitialize_crt 146701->146720 146702 49fdd6 146722 4a817b 21 API calls std::locale::_Setgloballocale 146702->146722 146706 49fd77 146706->146687 146707 49fdde 146723 4a0e90 146708->146723 146710 4a05bd GetStartupInfoW 146711 49fd46 146710->146711 146712 4a7e0a 146711->146712 146724 4b2f03 146712->146724 146714 4a7e4d 146714->146694 146715 4a7e13 146715->146714 146730 4b31b6 39 API calls 146715->146730 146717->146688 146718->146697 146719->146701 146720->146706 146721->146702 146722->146707 146723->146710 146725 4b2f0c 146724->146725 146729 4b2f3e 146724->146729 146731 4aa9ab 146725->146731 146729->146715 146730->146715 146732 4aa9bc 146731->146732 146733 4aa9b6 146731->146733 146737 4aa9c2 146732->146737 146783 4ae054 6 API calls std::_Lockit::_Lockit 146732->146783 146782 4ae015 6 API calls std::_Lockit::_Lockit 146733->146782 146736 4aa9d6 146736->146737 146738 4aa9da 146736->146738 146740 4aa9c7 146737->146740 146791 4a7134 39 API calls std::locale::_Setgloballocale 146737->146791 146784 4adb5d 14 API calls 3 library calls 146738->146784 146759 4b2d0e 146740->146759 146743 4aa9e6 146744 4aa9ee 146743->146744 146745 4aaa03 146743->146745 146785 4ae054 6 API calls std::_Lockit::_Lockit 146744->146785 146787 4ae054 6 API calls std::_Lockit::_Lockit 146745->146787 146748 4aaa0f 146749 4aaa22 146748->146749 146750 4aaa13 146748->146750 146789 4aa71e 14 API calls __Getctype 146749->146789 146788 4ae054 6 API calls std::_Lockit::_Lockit 146750->146788 146754 4aaa00 146754->146737 146755 4aa9fa 146786 4aabdb 14 API calls 2 library calls 146755->146786 146756 4aaa2d 146790 4aabdb 14 API calls 2 library calls 146756->146790 146758 4aaa34 146758->146740 146792 4b2e63 146759->146792 146764 4b2d51 146764->146729 146767 4b2d6a 146828 4aabdb 14 API calls 2 library calls 146767->146828 146768 4b2d78 146817 4b2f61 146768->146817 146772 4b2db0 146829 4a53de 14 API calls __dosmaperr 146772->146829 146774 4b2db5 146830 4aabdb 14 API calls 2 library calls 146774->146830 146775 4b2dcb 146780 4b2df7 146775->146780 146831 4aabdb 14 API calls 2 library calls 146775->146831 146781 4b2e40 146780->146781 146832 4b2987 39 API calls 2 library calls 146780->146832 146833 4aabdb 14 API calls 2 library calls 146781->146833 146782->146732 146783->146736 146784->146743 146785->146755 146786->146754 146787->146748 146788->146755 146789->146756 146790->146758 146793 4b2e6f ___scrt_is_nonwritable_in_current_image 146792->146793 146799 4b2e89 146793->146799 146834 4a49ca EnterCriticalSection 146793->146834 146795 4b2ec5 146836 4b2ee2 LeaveCriticalSection std::_Lockit::~_Lockit 146795->146836 146798 4b2d38 146803 4b2a95 146798->146803 146799->146798 146837 4a7134 39 API calls std::locale::_Setgloballocale 146799->146837 146801 4b2e99 146801->146795 146835 4aabdb 14 API calls 2 library calls 146801->146835 146838 4a7178 146803->146838 146805 4b2aa7 146806 4b2ac8 146805->146806 146807 4b2ab6 GetOEMCP 146805->146807 146808 4b2acd GetACP 146806->146808 146809 4b2adf 146806->146809 146807->146809 146808->146809 146809->146764 146810 4aac15 146809->146810 146811 4aac53 146810->146811 146816 4aac23 __Getctype 146810->146816 146849 4a53de 14 API calls __dosmaperr 146811->146849 146813 4aac3e RtlAllocateHeap 146814 4aac51 146813->146814 146813->146816 146814->146767 146814->146768 146816->146811 146816->146813 146848 4a7694 EnterCriticalSection LeaveCriticalSection codecvt 146816->146848 146818 4b2a95 41 API calls 146817->146818 146820 4b2f81 146818->146820 146819 4b3086 146861 4a003d 146819->146861 146820->146819 146821 4b2fbe IsValidCodePage 146820->146821 146826 4b2fd9 codecvt 146820->146826 146821->146819 146823 4b2fd0 146821->146823 146825 4b2ff9 GetCPInfo 146823->146825 146823->146826 146824 4b2da5 146824->146772 146824->146775 146825->146819 146825->146826 146850 4b2b69 146826->146850 146828->146764 146829->146774 146830->146764 146831->146780 146832->146781 146833->146764 146834->146801 146835->146795 146836->146799 146839 4a7196 146838->146839 146845 4aa8f0 39 API calls 3 library calls 146839->146845 146841 4a71b7 146846 4aac63 39 API calls __Getctype 146841->146846 146843 4a71cd 146847 4aacc1 39 API calls ctype 146843->146847 146845->146841 146846->146843 146848->146816 146849->146814 146851 4b2b91 GetCPInfo 146850->146851 146860 4b2c5a 146850->146860 146852 4b2ba9 146851->146852 146851->146860 146868 4aece1 146852->146868 146854 4a003d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 146855 4b2d0c 146854->146855 146855->146819 146859 4aefd1 44 API calls 146859->146860 146860->146854 146862 4a0046 IsProcessorFeaturePresent 146861->146862 146863 4a0045 146861->146863 146865 4a072d 146862->146865 146863->146824 146946 4a06f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 146865->146946 146867 4a0810 146867->146824 146869 4a7178 ctype 39 API calls 146868->146869 146870 4aed01 146869->146870 146888 4b1e03 146870->146888 146872 4aedbd 146874 4a003d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 146872->146874 146873 4aedb5 146891 49faaa 14 API calls ___vcrt_freefls@4 146873->146891 146877 4aede0 146874->146877 146875 4aed2e 146875->146872 146875->146873 146876 4aac15 std::_Locinfo::_Locinfo_dtor 15 API calls 146875->146876 146879 4aed53 ctype codecvt 146875->146879 146876->146879 146883 4aefd1 146877->146883 146879->146873 146880 4b1e03 __fread_nolock MultiByteToWideChar 146879->146880 146881 4aed9c 146880->146881 146881->146873 146882 4aeda3 GetStringTypeW 146881->146882 146882->146873 146884 4a7178 ctype 39 API calls 146883->146884 146885 4aefe4 146884->146885 146894 4aede2 146885->146894 146892 4b1d6b 146888->146892 146891->146872 146893 4b1d7c MultiByteToWideChar 146892->146893 146893->146875 146895 4aedfd ctype 146894->146895 146896 4b1e03 __fread_nolock MultiByteToWideChar 146895->146896 146900 4aee41 146896->146900 146897 4aefbc 146898 4a003d __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 146897->146898 146899 4aefcf 146898->146899 146899->146859 146900->146897 146901 4aac15 std::_Locinfo::_Locinfo_dtor 15 API calls 146900->146901 146903 4aee67 ctype 146900->146903 146921 4aef0f 146900->146921 146901->146903 146904 4b1e03 __fread_nolock MultiByteToWideChar 146903->146904 146903->146921 146905 4aeeb0 146904->146905 146905->146921 146922 4ae1d3 146905->146922 146908 4aef1e 146910 4aefa7 146908->146910 146911 4aef30 ctype 146908->146911 146913 4aac15 std::_Locinfo::_Locinfo_dtor 15 API calls 146908->146913 146909 4aeee6 146912 4ae1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 146909->146912 146909->146921 146933 49faaa 14 API calls ___vcrt_freefls@4 146910->146933 146911->146910 146915 4ae1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 146911->146915 146912->146921 146913->146911 146916 4aef73 146915->146916 146916->146910 146931 4b1ebd WideCharToMultiByte _Fputc 146916->146931 146918 4aef8d 146918->146910 146919 4aef96 146918->146919 146932 49faaa 14 API calls ___vcrt_freefls@4 146919->146932 146934 49faaa 14 API calls ___vcrt_freefls@4 146921->146934 146935 4add60 146922->146935 146925 4ae20b 146938 4ae230 5 API calls std::_Locinfo::_Locinfo_dtor 146925->146938 146926 4ae1e4 LCMapStringEx 146930 4ae22b 146926->146930 146929 4ae224 LCMapStringW 146929->146930 146930->146908 146930->146909 146930->146921 146931->146918 146932->146921 146933->146921 146934->146897 146939 4ade5f 146935->146939 146938->146929 146940 4add76 146939->146940 146941 4ade8f 146939->146941 146940->146925 146940->146926 146941->146940 146942 4add94 std::_Lockit::_Lockit LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 146941->146942 146943 4adea3 146942->146943 146943->146940 146944 4adea9 GetProcAddress 146943->146944 146944->146940 146945 4adeb9 std::_Lockit::_Lockit 146944->146945 146945->146940 146946->146867 146947 4514b9 146958 4514c2 146947->146958 146948 451779 147025 453fe0 146948->147025 146950 4516a9 146952 451757 146950->146952 146953 451781 146950->146953 147062 4a4870 15 API calls 146952->147062 147063 4a4870 15 API calls 146953->147063 146958->146948 146958->146950 147060 441d90 15 API calls 146958->147060 147061 441de0 20 API calls 146958->147061 146959 451a84 147067 4a4870 15 API calls 146959->147067 146960 451a5a 147066 4a4870 15 API calls 146960->147066 146961 4519ac 146961->146959 146961->146960 146964 451cbf 146967 451d97 146964->146967 146968 451d6d 146964->146968 147071 4a4870 15 API calls 146967->147071 147070 4a4870 15 API calls 146968->147070 146971 4517b3 146971->146961 146978 451a7c 146971->146978 147064 441d90 15 API calls 146971->147064 147065 441de0 20 API calls 146971->147065 146974 452080 147074 4a4870 15 API calls 146974->147074 146975 4520aa 147075 4a4870 15 API calls 146975->147075 146976 451fd2 146976->146974 146976->146975 146978->146964 146987 451d8f 146978->146987 147068 441d90 15 API calls 146978->147068 147069 441de0 20 API calls 146978->147069 146981 4522ed 146983 4523c4 146981->146983 146984 45239a 146981->146984 147079 4a4870 15 API calls 146983->147079 147078 4a4870 15 API calls 146984->147078 146987->146976 146994 4520a2 146987->146994 147072 441d90 15 API calls 146987->147072 147073 441de0 20 API calls 146987->147073 146990 4526d6 147083 4a4870 15 API calls 146990->147083 146991 4526ac 147082 4a4870 15 API calls 146991->147082 146992 4525ff 146992->146990 146992->146991 146994->146981 147003 4523bc 146994->147003 147076 441d90 15 API calls 146994->147076 147077 441de0 20 API calls 146994->147077 146997 452911 147000 4529be 146997->147000 147001 4529e8 146997->147001 146999 453011 147006 4530ce 146999->147006 147007 45306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 146999->147007 147086 4a4870 15 API calls 147000->147086 147087 4a4870 15 API calls 147001->147087 147003->146992 147008 4526ce 147003->147008 147080 441d90 15 API calls 147003->147080 147081 441de0 20 API calls 147003->147081 147007->147006 147112 39b21f5 95 API calls 147007->147112 147008->146997 147022 4529e0 147008->147022 147084 441d90 15 API calls 147008->147084 147085 441de0 20 API calls 147008->147085 147009 452c26 147011 452cd3 147009->147011 147012 452cfd 147009->147012 147090 4a4870 15 API calls 147011->147090 147091 4a4870 15 API calls 147012->147091 147016 452f42 147018 452fef 147016->147018 147019 453019 147016->147019 147094 4a4870 15 API calls 147018->147094 147095 4a4870 15 API calls 147019->147095 147022->147009 147024 452cf5 147022->147024 147088 441d90 15 API calls 147022->147088 147089 441de0 20 API calls 147022->147089 147024->146999 147024->147016 147092 441d90 15 API calls 147024->147092 147093 441de0 20 API calls 147024->147093 147039 45400f 147025->147039 147027 454bae 147027->146971 147028 4541c0 147029 454274 147028->147029 147030 45424a 147028->147030 147101 4a4870 15 API calls 147029->147101 147100 4a4870 15 API calls 147030->147100 147035 454473 147036 454527 147035->147036 147037 4544fd 147035->147037 147105 4a4870 15 API calls 147036->147105 147104 4a4870 15 API calls 147037->147104 147039->147028 147044 45426c 147039->147044 147098 441d90 15 API calls 147039->147098 147099 441de0 20 API calls 147039->147099 147042 454717 147045 4547a1 147042->147045 147046 4547cb 147042->147046 147044->147035 147052 45451f 147044->147052 147102 441d90 15 API calls 147044->147102 147103 441de0 20 API calls 147044->147103 147108 4a4870 15 API calls 147045->147108 147109 4a4870 15 API calls 147046->147109 147051 4549bb 147051->147027 147053 454a6d GetModuleHandleA GetProcAddress 147051->147053 147052->147042 147055 4547c3 147052->147055 147106 441d90 15 API calls 147052->147106 147107 441de0 20 API calls 147052->147107 147056 454a9f codecvt 147053->147056 147055->147051 147110 441d90 15 API calls 147055->147110 147111 441de0 20 API calls 147055->147111 147057 454b3a VirtualProtect VirtualProtect 147056->147057 147096 4a0910 147057->147096 147060->146958 147061->146958 147062->146948 147063->146948 147064->146971 147065->146971 147066->146978 147067->146978 147068->146978 147069->146978 147070->146987 147071->146987 147072->146987 147073->146987 147074->146994 147075->146994 147076->146994 147077->146994 147078->147003 147079->147003 147080->147003 147081->147003 147082->147008 147083->147008 147084->147008 147085->147008 147086->147022 147087->147022 147088->147022 147089->147022 147090->147024 147091->147024 147092->147024 147093->147024 147094->146999 147095->146999 147097 454b84 VirtualProtect 147096->147097 147097->147027 147098->147039 147099->147039 147100->147044 147101->147044 147102->147044 147103->147044 147104->147052 147105->147052 147106->147052 147107->147052 147108->147055 147109->147055 147110->147055 147111->147055 147113 445ed9 147122 445ee2 147113->147122 147114 4461f5 LoadLibraryA 147137 44621e 147114->147137 147359 446205 147114->147359 147116 4460de 147117 4461b6 147116->147117 147118 44618c 147116->147118 147531 4a4870 15 API calls 147117->147531 147530 4a4870 15 API calls 147118->147530 147122->147116 147123 4461ae 147122->147123 147528 441d90 15 API calls 147122->147528 147529 441de0 20 API calls 147122->147529 147123->147114 147124 44680d 147125 446854 GetProcAddress 147124->147125 147151 446877 147125->147151 147126 44642c 147128 446503 147126->147128 147129 4464d9 147126->147129 147535 4a4870 15 API calls 147128->147535 147534 4a4870 15 API calls 147129->147534 147134 446815 147539 4a4870 15 API calls 147134->147539 147135 4467eb 147538 4a4870 15 API calls 147135->147538 147136 44673e 147136->147134 147136->147135 147137->147126 147141 4464fb 147137->147141 147532 441d90 15 API calls 147137->147532 147533 441de0 20 API calls 147137->147533 147141->147124 147141->147136 147536 441d90 15 API calls 147141->147536 147537 441de0 20 API calls 147141->147537 147143 446a73 147144 446b21 147143->147144 147145 446b4b 147143->147145 147542 4a4870 15 API calls 147144->147542 147543 4a4870 15 API calls 147145->147543 147150 446d86 147152 446e34 147150->147152 147153 446e5e 147150->147153 147151->147143 147162 446b43 147151->147162 147540 441d90 15 API calls 147151->147540 147541 441de0 20 API calls 147151->147541 147546 4a4870 15 API calls 147152->147546 147547 4a4870 15 API calls 147153->147547 147157 447099 147159 447147 147157->147159 147160 447171 147157->147160 147550 4a4870 15 API calls 147159->147550 147551 4a4870 15 API calls 147160->147551 147162->147150 147169 446e56 147162->147169 147544 441d90 15 API calls 147162->147544 147545 441de0 20 API calls 147162->147545 147166 4473ac 147167 447484 147166->147167 147168 44745a 147166->147168 147555 4a4870 15 API calls 147167->147555 147554 4a4870 15 API calls 147168->147554 147169->147157 147180 447169 147169->147180 147548 441d90 15 API calls 147169->147548 147549 441de0 20 API calls 147169->147549 147174 4476bf 147175 447797 147174->147175 147176 44776d 147174->147176 147559 4a4870 15 API calls 147175->147559 147558 4a4870 15 API calls 147176->147558 147178 4479d2 147183 447a80 147178->147183 147184 447aaa 147178->147184 147180->147166 147188 44747c 147180->147188 147552 441d90 15 API calls 147180->147552 147553 441de0 20 API calls 147180->147553 147562 4a4870 15 API calls 147183->147562 147563 4a4870 15 API calls 147184->147563 147186 447ce5 147191 447d93 147186->147191 147192 447dbd 147186->147192 147188->147174 147194 44778f 147188->147194 147556 441d90 15 API calls 147188->147556 147557 441de0 20 API calls 147188->147557 147566 4a4870 15 API calls 147191->147566 147567 4a4870 15 API calls 147192->147567 147194->147178 147203 447aa2 147194->147203 147560 441d90 15 API calls 147194->147560 147561 441de0 20 API calls 147194->147561 147198 4486ee 147202 448735 GetProcAddress 147198->147202 147199 447ff8 147200 4480a6 147199->147200 147201 4480d0 147199->147201 147570 4a4870 15 API calls 147200->147570 147571 4a4870 15 API calls 147201->147571 147233 448758 147202->147233 147203->147186 147216 447db5 147203->147216 147564 441d90 15 API calls 147203->147564 147565 441de0 20 API calls 147203->147565 147207 44830b 147209 4483e3 147207->147209 147210 4483b9 147207->147210 147575 4a4870 15 API calls 147209->147575 147574 4a4870 15 API calls 147210->147574 147214 44861e 147217 4486f6 147214->147217 147218 4486cc 147214->147218 147216->147199 147220 4480c8 147216->147220 147568 441d90 15 API calls 147216->147568 147569 441de0 20 API calls 147216->147569 147579 4a4870 15 API calls 147217->147579 147578 4a4870 15 API calls 147218->147578 147220->147207 147223 4483db 147220->147223 147572 441d90 15 API calls 147220->147572 147573 441de0 20 API calls 147220->147573 147223->147198 147223->147214 147576 441d90 15 API calls 147223->147576 147577 441de0 20 API calls 147223->147577 147225 448a02 147582 4a4870 15 API calls 147225->147582 147226 448a2c 147583 4a4870 15 API calls 147226->147583 147227 448954 147227->147225 147227->147226 147232 448c67 147234 448d15 147232->147234 147235 448d3f 147232->147235 147233->147227 147243 448a24 147233->147243 147580 441d90 15 API calls 147233->147580 147581 441de0 20 API calls 147233->147581 147586 4a4870 15 API calls 147234->147586 147587 4a4870 15 API calls 147235->147587 147240 448f7a 147241 449052 147240->147241 147242 449028 147240->147242 147591 4a4870 15 API calls 147241->147591 147590 4a4870 15 API calls 147242->147590 147243->147232 147256 448d37 147243->147256 147584 441d90 15 API calls 147243->147584 147585 441de0 20 API calls 147243->147585 147247 4499a1 147250 4499e8 GetProcAddress 147247->147250 147248 44928d 147251 449365 147248->147251 147252 44933b 147248->147252 147285 449a14 147250->147285 147595 4a4870 15 API calls 147251->147595 147594 4a4870 15 API calls 147252->147594 147254 4495a0 147259 44964e 147254->147259 147260 449678 147254->147260 147256->147240 147264 44904a 147256->147264 147588 441d90 15 API calls 147256->147588 147589 441de0 20 API calls 147256->147589 147598 4a4870 15 API calls 147259->147598 147599 4a4870 15 API calls 147260->147599 147262 4498cb 147267 44997f 147262->147267 147268 4499a9 147262->147268 147264->147248 147270 44935d 147264->147270 147592 441d90 15 API calls 147264->147592 147593 441de0 20 API calls 147264->147593 147602 4a4870 15 API calls 147267->147602 147603 4a4870 15 API calls 147268->147603 147270->147254 147273 449670 147270->147273 147596 441d90 15 API calls 147270->147596 147597 441de0 20 API calls 147270->147597 147273->147247 147273->147262 147600 441d90 15 API calls 147273->147600 147601 441de0 20 API calls 147273->147601 147274 449c1f 147276 449cd2 147274->147276 147277 449cfc 147274->147277 147606 4a4870 15 API calls 147276->147606 147607 4a4870 15 API calls 147277->147607 147281 449f4f 147283 44a002 147281->147283 147284 44a02c 147281->147284 147610 4a4870 15 API calls 147283->147610 147611 4a4870 15 API calls 147284->147611 147285->147274 147295 449cf4 147285->147295 147604 441d90 15 API calls 147285->147604 147605 441de0 20 API calls 147285->147605 147290 44a27f 147291 44a332 147290->147291 147292 44a35c 147290->147292 147614 4a4870 15 API calls 147291->147614 147615 4a4870 15 API calls 147292->147615 147295->147281 147303 44a024 147295->147303 147608 441d90 15 API calls 147295->147608 147609 441de0 20 API calls 147295->147609 147298 44a662 147618 4a4870 15 API calls 147298->147618 147299 44a68c 147619 4a4870 15 API calls 147299->147619 147300 44a5af 147300->147298 147300->147299 147301 44a8df 147307 44a992 147301->147307 147308 44a9bc 147301->147308 147303->147290 147310 44a354 147303->147310 147612 441d90 15 API calls 147303->147612 147613 441de0 20 API calls 147303->147613 147622 4a4870 15 API calls 147307->147622 147623 4a4870 15 API calls 147308->147623 147310->147300 147317 44a684 147310->147317 147616 441d90 15 API calls 147310->147616 147617 441de0 20 API calls 147310->147617 147314 44acc2 147626 4a4870 15 API calls 147314->147626 147315 44acec 147627 4a4870 15 API calls 147315->147627 147316 44ac0f 147316->147314 147316->147315 147317->147301 147330 44a9b4 147317->147330 147620 441d90 15 API calls 147317->147620 147621 441de0 20 API calls 147317->147621 147321 44b674 147323 44b6bb GetProcAddress 147321->147323 147365 44b6e7 147323->147365 147324 44af3f 147325 44aff2 147324->147325 147326 44b01c 147324->147326 147630 4a4870 15 API calls 147325->147630 147631 4a4870 15 API calls 147326->147631 147328 44b26f 147333 44b322 147328->147333 147334 44b34c 147328->147334 147330->147316 147338 44ace4 147330->147338 147624 441d90 15 API calls 147330->147624 147625 441de0 20 API calls 147330->147625 147634 4a4870 15 API calls 147333->147634 147635 4a4870 15 API calls 147334->147635 147336 44b59f 147341 44b652 147336->147341 147342 44b67c 147336->147342 147338->147324 147344 44b014 147338->147344 147628 441d90 15 API calls 147338->147628 147629 441de0 20 API calls 147338->147629 147638 4a4870 15 API calls 147341->147638 147639 4a4870 15 API calls 147342->147639 147344->147328 147347 44b344 147344->147347 147632 441d90 15 API calls 147344->147632 147633 441de0 20 API calls 147344->147633 147347->147321 147347->147336 147636 441d90 15 API calls 147347->147636 147637 441de0 20 API calls 147347->147637 147349 44b8f2 147350 44b9a6 147349->147350 147351 44b9d0 147349->147351 147642 4a4870 15 API calls 147350->147642 147643 4a4870 15 API calls 147351->147643 147352 44c68c 147355 44c6e5 FreeLibrary 147352->147355 147405 44c708 147352->147405 147355->147359 147357 44bc23 147360 44bcd7 147357->147360 147361 44bd01 147357->147361 147646 4a4870 15 API calls 147360->147646 147647 4a4870 15 API calls 147361->147647 147365->147349 147372 44b9c8 147365->147372 147640 441d90 15 API calls 147365->147640 147641 441de0 20 API calls 147365->147641 147367 44bf54 147368 44c032 147367->147368 147369 44c008 147367->147369 147651 4a4870 15 API calls 147368->147651 147650 4a4870 15 API calls 147369->147650 147372->147357 147379 44bcf9 147372->147379 147644 441d90 15 API calls 147372->147644 147645 441de0 20 API calls 147372->147645 147375 44c285 147376 44c363 147375->147376 147377 44c339 147375->147377 147655 4a4870 15 API calls 147376->147655 147654 4a4870 15 API calls 147377->147654 147379->147367 147386 44c02a 147379->147386 147648 441d90 15 API calls 147379->147648 147649 441de0 20 API calls 147379->147649 147383 44c5b6 147384 44c694 147383->147384 147385 44c66a 147383->147385 147659 4a4870 15 API calls 147384->147659 147658 4a4870 15 API calls 147385->147658 147386->147375 147390 44c35b 147386->147390 147652 441d90 15 API calls 147386->147652 147653 441de0 20 API calls 147386->147653 147390->147352 147390->147383 147656 441d90 15 API calls 147390->147656 147657 441de0 20 API calls 147390->147657 147392 44c92e 147393 44c9e1 147392->147393 147394 44ca0b 147392->147394 147662 4a4870 15 API calls 147393->147662 147663 4a4870 15 API calls 147394->147663 147399 44cc5e 147400 44cd11 147399->147400 147401 44cd3b 147399->147401 147666 4a4870 15 API calls 147400->147666 147667 4a4870 15 API calls 147401->147667 147403 44cf8e 147408 44d041 147403->147408 147409 44d06b 147403->147409 147405->147392 147412 44ca03 147405->147412 147660 441d90 15 API calls 147405->147660 147661 441de0 20 API calls 147405->147661 147670 4a4870 15 API calls 147408->147670 147671 4a4870 15 API calls 147409->147671 147412->147399 147420 44cd33 147412->147420 147664 441d90 15 API calls 147412->147664 147665 441de0 20 API calls 147412->147665 147415 44d2be 147416 44d371 147415->147416 147417 44d39b 147415->147417 147674 4a4870 15 API calls 147416->147674 147675 4a4870 15 API calls 147417->147675 147418 44d5ee 147424 44d6a1 147418->147424 147425 44d6cb 147418->147425 147420->147403 147426 44d063 147420->147426 147668 441d90 15 API calls 147420->147668 147669 441de0 20 API calls 147420->147669 147678 4a4870 15 API calls 147424->147678 147679 4a4870 15 API calls 147425->147679 147426->147415 147430 44d393 147426->147430 147672 441d90 15 API calls 147426->147672 147673 441de0 20 API calls 147426->147673 147430->147418 147445 44d6c3 147430->147445 147676 441d90 15 API calls 147430->147676 147677 441de0 20 API calls 147430->147677 147432 44d936 147433 44da13 147432->147433 147434 44d9e9 147432->147434 147683 4a4870 15 API calls 147433->147683 147682 4a4870 15 API calls 147434->147682 147439 44dc66 147440 44dd43 147439->147440 147441 44dd19 147439->147441 147687 4a4870 15 API calls 147440->147687 147686 4a4870 15 API calls 147441->147686 147443 44df96 147448 44e073 147443->147448 147449 44e049 147443->147449 147445->147432 147454 44da0b 147445->147454 147680 441d90 15 API calls 147445->147680 147681 441de0 20 API calls 147445->147681 147691 4a4870 15 API calls 147448->147691 147690 4a4870 15 API calls 147449->147690 147451 44e9dd 147457 44ea38 InternetOpenA 147451->147457 147452 44e2c6 147458 44e3a3 147452->147458 147459 44e379 147452->147459 147454->147439 147461 44dd3b 147454->147461 147684 441d90 15 API calls 147454->147684 147685 441de0 20 API calls 147454->147685 147492 44ea57 147457->147492 147695 4a4870 15 API calls 147458->147695 147694 4a4870 15 API calls 147459->147694 147461->147443 147468 44e06b 147461->147468 147688 441d90 15 API calls 147461->147688 147689 441de0 20 API calls 147461->147689 147465 44e6b5 147699 4a4870 15 API calls 147465->147699 147466 44e68b 147698 4a4870 15 API calls 147466->147698 147467 44e5de 147467->147465 147467->147466 147468->147452 147479 44e39b 147468->147479 147692 441d90 15 API calls 147468->147692 147693 441de0 20 API calls 147468->147693 147473 44e908 147475 44e9e5 147473->147475 147476 44e9bb 147473->147476 147474 44f036 147478 44f074 FreeLibrary 147474->147478 147512 44f097 147474->147512 147703 4a4870 15 API calls 147475->147703 147702 4a4870 15 API calls 147476->147702 147478->147359 147479->147467 147482 44e6ad 147479->147482 147696 441d90 15 API calls 147479->147696 147697 441de0 20 API calls 147479->147697 147482->147451 147482->147473 147700 441d90 15 API calls 147482->147700 147701 441de0 20 API calls 147482->147701 147484 44ec53 147485 44ed01 147484->147485 147486 44ed2b 147484->147486 147706 4a4870 15 API calls 147485->147706 147707 4a4870 15 API calls 147486->147707 147488 44ef66 147493 44f014 147488->147493 147494 44f03e 147488->147494 147492->147484 147501 44ed23 147492->147501 147704 441d90 15 API calls 147492->147704 147705 441de0 20 API calls 147492->147705 147710 4a4870 15 API calls 147493->147710 147711 4a4870 15 API calls 147494->147711 147498 44f2a5 147503 44f352 147498->147503 147504 44f37c 147498->147504 147499 44f698 std::runtime_error::runtime_error _strlen 147502 44f6f6 InternetOpenUrlA 147499->147502 147501->147474 147501->147488 147708 441d90 15 API calls 147501->147708 147709 441de0 20 API calls 147501->147709 147505 44f734 FreeLibrary 147502->147505 147506 44f782 InternetReadFile 147502->147506 147714 4a4870 15 API calls 147503->147714 147715 4a4870 15 API calls 147504->147715 147517 44f75f 147505->147517 147510 44f7b2 147506->147510 147511 44f7bb FreeLibrary 147506->147511 147510->147506 147510->147511 147518 454c60 std::ios_base::failure::failure 41 API calls 147510->147518 147526 44f82a std::ios_base::failure::failure 147511->147526 147512->147498 147519 44f374 147512->147519 147712 441d90 15 API calls 147512->147712 147713 441de0 20 API calls 147512->147713 147515 44f676 147718 4a4870 15 API calls 147515->147718 147516 44f6a0 147719 4a4870 15 API calls 147516->147719 147720 444120 39 API calls task 147517->147720 147518->147510 147519->147499 147520 44f5c9 147519->147520 147716 441d90 15 API calls 147519->147716 147717 441de0 20 API calls 147519->147717 147520->147515 147520->147516 147721 444120 39 API calls task 147526->147721 147528->147122 147529->147122 147530->147123 147531->147123 147532->147137 147533->147137 147534->147141 147535->147141 147536->147141 147537->147141 147538->147124 147539->147124 147540->147151 147541->147151 147542->147162 147543->147162 147544->147162 147545->147162 147546->147169 147547->147169 147548->147169 147549->147169 147550->147180 147551->147180 147552->147180 147553->147180 147554->147188 147555->147188 147556->147188 147557->147188 147558->147194 147559->147194 147560->147194 147561->147194 147562->147203 147563->147203 147564->147203 147565->147203 147566->147216 147567->147216 147568->147216 147569->147216 147570->147220 147571->147220 147572->147220 147573->147220 147574->147223 147575->147223 147576->147223 147577->147223 147578->147198 147579->147198 147580->147233 147581->147233 147582->147243 147583->147243 147584->147243 147585->147243 147586->147256 147587->147256 147588->147256 147589->147256 147590->147264 147591->147264 147592->147264 147593->147264 147594->147270 147595->147270 147596->147270 147597->147270 147598->147273 147599->147273 147600->147273 147601->147273 147602->147247 147603->147247 147604->147285 147605->147285 147606->147295 147607->147295 147608->147295 147609->147295 147610->147303 147611->147303 147612->147303 147613->147303 147614->147310 147615->147310 147616->147310 147617->147310 147618->147317 147619->147317 147620->147317 147621->147317 147622->147330 147623->147330 147624->147330 147625->147330 147626->147338 147627->147338 147628->147338 147629->147338 147630->147344 147631->147344 147632->147344 147633->147344 147634->147347 147635->147347 147636->147347 147637->147347 147638->147321 147639->147321 147640->147365 147641->147365 147642->147372 147643->147372 147644->147372 147645->147372 147646->147379 147647->147379 147648->147379 147649->147379 147650->147386 147651->147386 147652->147386 147653->147386 147654->147390 147655->147390 147656->147390 147657->147390 147658->147352 147659->147352 147660->147405 147661->147405 147662->147412 147663->147412 147664->147412 147665->147412 147666->147420 147667->147420 147668->147420 147669->147420 147670->147426 147671->147426 147672->147426 147673->147426 147674->147430 147675->147430 147676->147430 147677->147430 147678->147445 147679->147445 147680->147445 147681->147445 147682->147454 147683->147454 147684->147454 147685->147454 147686->147461 147687->147461 147688->147461 147689->147461 147690->147468 147691->147468 147692->147468 147693->147468 147694->147479 147695->147479 147696->147479 147697->147479 147698->147482 147699->147482 147700->147482 147701->147482 147702->147451 147703->147451 147704->147492 147705->147492 147706->147501 147707->147501 147708->147501 147709->147501 147710->147474 147711->147474 147712->147512 147713->147512 147714->147519 147715->147519 147716->147519 147717->147519 147718->147499 147719->147499 147720->147359 147721->147359

                                                              Executed Functions

                                                              Function 00445B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 53db8f6e6405de823a0a18ad8dfc88952a0adcd1bcb737ad095a0a4f2aceb909
                                                              • Instruction ID: 405fb146664702627d62ed2c50e51a81bf0597ae87576f40e66a1eeda1d63964
                                                              • Opcode Fuzzy Hash: 53db8f6e6405de823a0a18ad8dfc88952a0adcd1bcb737ad095a0a4f2aceb909
                                                              • Instruction Fuzzy Hash: 47144671C00A2CCAEB62DF24CC916AEB775FF46345F1082DAD50A7A241EB359AD1CF49
                                                              Function 039B4BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2537 39b4ba2-39b4bb2 2538 39b4bb8-39b4beb call 39b46d4 2537->2538 2539 39b4e23-39b4e26 2537->2539 2542 39b4e22 2538->2542 2543 39b4bf1-39b4c00 call 39b46d4 2538->2543 2542->2539 2543->2542 2546 39b4c06-39b4c5f KiUserCallbackDispatcher GetSystemMetrics call 39b3576 * 4 GetDC 2543->2546 2555 39b4e20-39b4e21 2546->2555 2556 39b4c65-39b4c72 GetCurrentObject 2546->2556 2555->2542 2557 39b4c78-39b4c89 GetObjectW 2556->2557 2558 39b4e17-39b4e1a ReleaseDC 2556->2558 2557->2558 2559 39b4c8f-39b4d1e call 39b35db DeleteObject CreateCompatibleDC 2557->2559 2558->2555 2559->2558 2562 39b4d24-39b4d3f CreateDIBSection 2559->2562 2563 39b4e10-39b4e11 DeleteDC 2562->2563 2564 39b4d45-39b4d4f SelectObject 2562->2564 2563->2558 2565 39b4e09-39b4e0a DeleteObject 2564->2565 2566 39b4d55-39b4d74 BitBlt 2564->2566 2565->2563 2566->2565 2567 39b4d7a-39b4d8c call 39b3508 2566->2567 2567->2565 2570 39b4d8e-39b4df9 call 39b354b * 3 call 39b3d76 2567->2570 2578 39b4dfe-39b4e04 call 39b3536 2570->2578 2578->2565
                                                              APIs
                                                                • Part of subcall function 039B46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,039B4812), ref: 039B46E6
                                                                • Part of subcall function 039B46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,039B4812), ref: 039B46F3
                                                              • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 039B4C13
                                                              • GetSystemMetrics.USER32(0000004D), ref: 039B4C1A
                                                              • GetDC.USER32(00000000), ref: 039B4C55
                                                              • GetCurrentObject.GDI32(00000000,00000007), ref: 039B4C68
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 039B4C81
                                                              • DeleteObject.GDI32(00000000), ref: 039B4CB3
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 039B4D14
                                                              • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 039B4D35
                                                              • SelectObject.GDI32(00000000,00000000), ref: 039B4D47
                                                              • BitBlt.GDI32(00000000,00000000,00000000,?,039B2468,00000000,?,?,00CC0020), ref: 039B4D6C
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                                • Part of subcall function 039B3D76: EnterCriticalSection.KERNEL32(039B84D4,00000000,00000000,00000000,?,?,?,?,?,039B3EEB,00000000,00000000,00000000,00000000,00000000), ref: 039B3D88
                                                                • Part of subcall function 039B3536: GetProcessHeap.KERNEL32(00000000,00000000,039B518A), ref: 039B353D
                                                                • Part of subcall function 039B3536: RtlFreeHeap.NTDLL(00000000), ref: 039B3544
                                                              • DeleteObject.GDI32(00000000), ref: 039B4E0A
                                                              • DeleteDC.GDI32(00000000), ref: 039B4E11
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 039B4E1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                                              • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                                                              • API String ID: 1387450592-1028866296
                                                              • Opcode ID: 6d66616ecb60f4fec303c53a57eb0ec968ce4a51e5ca389ce4735c058ab68628
                                                              • Instruction ID: 6fffa3a828d80200547dd1334ec6e3bc5787c40d28e258ae43ed4b31b04a8fa2
                                                              • Opcode Fuzzy Hash: 6d66616ecb60f4fec303c53a57eb0ec968ce4a51e5ca389ce4735c058ab68628
                                                              • Instruction Fuzzy Hash: 2271A075D04308ABDB21EFE5DE45BEEBB78EF48740F144059E604BB291EBB09A04CB55
                                                              Function 039B1000 Relevance: 19.9, APIs: 4, Strings: 7, Instructions: 667fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2580 39b1000-39b1018 2581 39b101e-39b1028 2580->2581 2582 39b1412-39b1418 2580->2582 2581->2582 2583 39b102e-39b1037 call 39b407d 2581->2583 2583->2582 2586 39b103d-39b1059 call 39b3508 * 2 2583->2586 2591 39b105f-39b1061 2586->2591 2592 39b1404-39b140d call 39b3536 * 2 2586->2592 2591->2592 2593 39b1067-39b116d call 39b3600 FindFirstFileW 2591->2593 2592->2582 2599 39b1173-39b1192 call 39b363b * 2 2593->2599 2600 39b13d5-39b1401 call 39b3576 * 3 2593->2600 2609 39b13ba 2599->2609 2610 39b1198-39b11b7 call 39b3600 2599->2610 2600->2592 2612 39b13bd-39b13c4 2609->2612 2617 39b1769-39b1770 2610->2617 2618 39b11bd-39b11cf call 39b372b 2610->2618 2616 39b13cd-39b13cf 2612->2616 2616->2599 2616->2600 2617->2609 2620 39b1776-39b1794 call 39b363b call 39b3b60 2617->2620 2618->2617 2623 39b11d5-39b11e7 call 39b372b 2618->2623 2630 39b17eb-39b17f0 2620->2630 2631 39b1796-39b17e3 call 39b3508 call 39b3600 call 39b3eb6 2620->2631 2623->2617 2629 39b11ed-39b120f call 39b363b call 39b3b60 2623->2629 2648 39b171e-39b1749 call 39b40ba 2629->2648 2649 39b1215-39b121b 2629->2649 2632 39b199b-39b19d2 call 39b3600 call 39b3eb6 2630->2632 2633 39b17f6-39b17fb 2630->2633 2631->2630 2651 39b19d7-39b19da 2632->2651 2633->2632 2638 39b1801-39b1806 2633->2638 2638->2632 2642 39b180c-39b1811 2638->2642 2642->2632 2647 39b1817-39b181c 2642->2647 2647->2632 2652 39b1822-39b1827 2647->2652 2660 39b174f-39b175a call 39b372b 2648->2660 2661 39b152d-39b1534 call 39b3536 2648->2661 2649->2648 2654 39b1221-39b1227 2649->2654 2651->2612 2652->2632 2656 39b182d-39b1832 2652->2656 2654->2648 2658 39b122d-39b1233 2654->2658 2656->2632 2659 39b1838-39b183d 2656->2659 2658->2648 2662 39b1239-39b123f 2658->2662 2659->2632 2663 39b1843-39b1848 2659->2663 2660->2661 2673 39b1760-39b1762 2660->2673 2661->2609 2662->2648 2666 39b1245-39b124b 2662->2666 2663->2632 2667 39b184e-39b1853 2663->2667 2666->2648 2671 39b1251-39b1257 2666->2671 2667->2632 2668 39b1859-39b185e 2667->2668 2668->2609 2672 39b1864-39b1878 call 39b446c 2668->2672 2671->2648 2674 39b125d-39b1263 2671->2674 2679 39b187e-39b1883 2672->2679 2680 39b14b4-39b14be call 39b3536 2672->2680 2673->2617 2674->2648 2676 39b1269-39b126f 2674->2676 2676->2648 2678 39b1275-39b127b 2676->2678 2678->2648 2681 39b1281-39b1287 2678->2681 2679->2680 2683 39b1889-39b18a1 call 39b36f1 2679->2683 2680->2609 2681->2648 2684 39b128d-39b1293 2681->2684 2683->2680 2690 39b18a7-39b18bf call 39b36f1 2683->2690 2684->2648 2687 39b1299-39b129f 2684->2687 2687->2648 2689 39b12a5-39b12ab 2687->2689 2689->2648 2691 39b12b1-39b12b7 2689->2691 2690->2680 2697 39b18c5-39b18db call 39b369c 2690->2697 2691->2648 2693 39b12bd-39b12c3 2691->2693 2693->2648 2694 39b12c9-39b12cf 2693->2694 2694->2648 2696 39b12d5-39b12db 2694->2696 2696->2648 2698 39b12e1-39b12e7 2696->2698 2697->2680 2703 39b18e1-39b18ed call 39b3625 2697->2703 2698->2648 2700 39b12ed-39b12f3 2698->2700 2700->2648 2702 39b12f9-39b12ff 2700->2702 2702->2648 2704 39b1305-39b130b 2702->2704 2708 39b14ad-39b14af call 39b3536 2703->2708 2709 39b18f3-39b1906 call 39b1a62 2703->2709 2704->2648 2707 39b1311-39b1317 2704->2707 2707->2648 2710 39b131d-39b1323 2707->2710 2708->2680 2709->2708 2716 39b190c-39b1911 2709->2716 2710->2648 2713 39b1329-39b132f 2710->2713 2713->2648 2715 39b1335-39b133b 2713->2715 2715->2648 2717 39b1341-39b1347 2715->2717 2716->2708 2718 39b1917-39b1929 call 39b1c94 2716->2718 2719 39b134d-39b1353 2717->2719 2720 39b168c-39b16c1 call 39b40ba 2717->2720 2727 39b192b-39b1974 call 39b1ba5 call 39b3600 call 39b3d76 2718->2727 2728 39b198e-39b1996 call 39b3536 2718->2728 2719->2720 2723 39b1359-39b135f 2719->2723 2720->2680 2729 39b16c7-39b16d2 call 39b372b 2720->2729 2723->2720 2726 39b1365-39b136b 2723->2726 2730 39b1662-39b1687 EnterCriticalSection call 39b4e27 LeaveCriticalSection 2726->2730 2731 39b1371-39b1377 2726->2731 2765 39b1979-39b198b call 39b3536 * 2 2727->2765 2728->2708 2729->2680 2747 39b16d8-39b1719 call 39b3efc 2729->2747 2730->2609 2731->2730 2736 39b137d-39b1383 2731->2736 2737 39b1419-39b141f 2736->2737 2738 39b1389-39b13b4 call 39b3efc 2736->2738 2744 39b14c3-39b14c9 2737->2744 2745 39b1425-39b1447 call 39b40ba 2737->2745 2738->2609 2750 39b14cb-39b14ed call 39b40ba 2744->2750 2751 39b1539-39b153f 2744->2751 2745->2680 2761 39b1449-39b1454 call 39b372b 2745->2761 2747->2680 2750->2661 2768 39b14ef-39b14fa call 39b372b 2750->2768 2754 39b1541-39b1563 call 39b40ba 2751->2754 2755 39b1576-39b157c 2751->2755 2754->2661 2772 39b1565-39b1570 call 39b372b 2754->2772 2763 39b165b 2755->2763 2764 39b1582-39b1588 2755->2764 2761->2680 2781 39b1456-39b14a7 call 39b3508 call 39b3600 call 39b3eb6 2761->2781 2763->2730 2764->2763 2769 39b158e-39b1594 2764->2769 2765->2728 2768->2661 2788 39b14fc 2768->2788 2775 39b15a9-39b15af 2769->2775 2776 39b1596-39b159d 2769->2776 2772->2661 2791 39b1572-39b1574 2772->2791 2778 39b15e3-39b160b call 39b40ba 2775->2778 2779 39b15b1-39b15b7 2775->2779 2776->2775 2778->2661 2795 39b1611-39b161c call 39b372b 2778->2795 2779->2778 2784 39b15b9-39b15bf 2779->2784 2781->2708 2784->2778 2789 39b15c1-39b15c7 2784->2789 2793 39b14fe-39b1527 call 39b3efc 2788->2793 2789->2778 2794 39b15c9-39b15cf 2789->2794 2791->2793 2793->2661 2794->2778 2799 39b15d1-39b15d8 call 39b1000 2794->2799 2795->2661 2807 39b1622-39b1656 call 39b3efc 2795->2807 2806 39b15dd-39b15de 2799->2806 2806->2609 2807->2661
                                                              APIs
                                                              • FindNextFileW.KERNELBASE(?,?), ref: 039B13C7
                                                                • Part of subcall function 039B407D: GetFileAttributesW.KERNELBASE(039B5051,039B447E,?,?,?,?,?,?,?,?,?,?,?,?,?,039B3ECC), ref: 039B407E
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • FindFirstFileW.KERNELBASE(00000000,?,0120EDB0,?), ref: 039B1161
                                                                • Part of subcall function 039B3EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 039B3F5D
                                                                • Part of subcall function 039B3EFC: FindNextFileW.KERNEL32(039B1710,?), ref: 039B3FFE
                                                              • EnterCriticalSection.KERNEL32(039B84D4), ref: 039B1668
                                                              • LeaveCriticalSection.KERNEL32(039B84D4), ref: 039B1681
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                                              • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram$p2Wu 2Wu
                                                              • API String ID: 1893179121-2566755545
                                                              • Opcode ID: 608397f19bb3905d7f1d24f4de6793530245e996a4043346c0b16bdd160ec169
                                                              • Instruction ID: 601751374401e0e3cfc215075b1db273505c87d3fbbce64911d009d7ff559dff
                                                              • Opcode Fuzzy Hash: 608397f19bb3905d7f1d24f4de6793530245e996a4043346c0b16bdd160ec169
                                                              • Instruction Fuzzy Hash: 7A323975E0431497DF25EBA88AE0BFDB3B9AF84340F18406AD405EB290EB748D85CB91
                                                              Function 039B2054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2858 39b2054-39b20a5 call 39b3508 2861 39b2103-39b2115 GetCurrentHwProfileA 2858->2861 2862 39b20a7-39b20c6 2858->2862 2863 39b212d-39b219e GetSystemInfo call 39b35db call 39b3536 GlobalMemoryStatusEx call 39b35db 2861->2863 2864 39b2117-39b212a call 39b35db 2861->2864 2865 39b20c8-39b20cc 2862->2865 2866 39b20ce-39b20d4 2862->2866 2882 39b21db-39b21ec EnumDisplayDevicesA 2863->2882 2864->2863 2869 39b20ee-39b20f9 call 39b354b 2865->2869 2870 39b20df-39b20e5 2866->2870 2871 39b20d6-39b20dd 2866->2871 2872 39b20fc-39b2101 2869->2872 2870->2872 2873 39b20e7-39b20eb 2870->2873 2871->2869 2872->2861 2872->2862 2873->2869 2883 39b21ee-39b21f4 2882->2883 2884 39b21a0-39b21a9 2882->2884 2885 39b21ab-39b21c7 call 39b35db 2884->2885 2886 39b21ca-39b21da 2884->2886 2885->2886 2886->2882
                                                              APIs
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • GetCurrentHwProfileA.ADVAPI32(?), ref: 039B210B
                                                              • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 039B2132
                                                              • GlobalMemoryStatusEx.KERNELBASE(?), ref: 039B2166
                                                              • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 039B21E8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                                                              • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                                                              • API String ID: 330852582-565344305
                                                              • Opcode ID: 1fc33726b0837e7f93321702b834d10515cfddf39d5d8a56fd3407cc6397360b
                                                              • Instruction ID: 500571927051cd239744152e83e9e3873e6a45f64126747c838c1afc3aa7f5f8
                                                              • Opcode Fuzzy Hash: 1fc33726b0837e7f93321702b834d10515cfddf39d5d8a56fd3407cc6397360b
                                                              • Instruction Fuzzy Hash: AA41BF71A083059BD321DF54C981BEBB7B9EFC8350F044A2DF9899B241EB70D944CBA2
                                                              Function 039B4E27 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 286fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2889 39b4e27-39b4e47 2890 39b4e49-39b4e8c call 39b3600 call 39b407d 2889->2890 2891 39b4e98-39b4ed9 call 39b3508 * 2 call 39b3600 FindFirstFileW 2889->2891 2900 39b5198-39b519e 2890->2900 2901 39b4e92 2890->2901 2904 39b4edf-39b4ef9 call 39b3600 2891->2904 2905 39b5183-39b5192 call 39b3536 * 2 2891->2905 2901->2891 2911 39b4eff-39b4f06 2904->2911 2912 39b4fb1-39b4fc7 call 39b363b 2904->2912 2905->2900 2914 39b516b-39b5172 2911->2914 2915 39b4f0c-39b4f1e call 39b372b 2911->2915 2912->2914 2920 39b4fcd-39b50ab call 39b3600 call 39b3eb6 call 39b363b call 39b3600 call 39b407d 2912->2920 2921 39b517b-39b517d 2914->2921 2915->2914 2922 39b4f24-39b4f36 call 39b372b 2915->2922 2920->2914 2945 39b50b1-39b5165 call 39b363b call 39b3600 call 39b3eb6 2920->2945 2921->2904 2921->2905 2922->2914 2928 39b4f3c-39b4f5b call 39b363b call 39b3b60 2922->2928 2938 39b4f5d-39b4f62 2928->2938 2939 39b4f84-39b4fac EnterCriticalSection call 39b4e27 LeaveCriticalSection 2928->2939 2938->2939 2941 39b4f64-39b4f6b 2938->2941 2939->2914 2941->2914 2944 39b4f71-39b4f79 call 39b4e27 2941->2944 2949 39b4f7e-39b4f7f 2944->2949 2951 39b516a 2945->2951 2949->2951 2951->2914
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000), ref: 039B4ECD
                                                              • EnterCriticalSection.KERNEL32(039B84D4), ref: 039B4F89
                                                                • Part of subcall function 039B4E27: LeaveCriticalSection.KERNEL32(039B84D4), ref: 039B4FA6
                                                              • FindNextFileW.KERNELBASE(?,?), ref: 039B5175
                                                                • Part of subcall function 039B407D: GetFileAttributesW.KERNELBASE(039B5051,039B447E,?,?,?,?,?,?,?,?,?,?,?,?,?,039B3ECC), ref: 039B407E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                                              • String ID: %s\%s$%s\*$Telegram$p2Wu 2Wu
                                                              • API String ID: 648860119-2652803574
                                                              • Opcode ID: 9b9a395f638a4aa6bf4dbb301c3d043154f96ef0031102438c6ab03b89d2cbe3
                                                              • Instruction ID: 04081aadaa43d067ac8ebb91a3da42b4b2b29a559655acc57e06f70fccb982ed
                                                              • Opcode Fuzzy Hash: 9b9a395f638a4aa6bf4dbb301c3d043154f96ef0031102438c6ab03b89d2cbe3
                                                              • Instruction Fuzzy Hash: 12A18629E14348A9EF10EBE0EE45BFEB375EF84710F10545AE504EF2A0FBB14A458759
                                                              Function 039B1D3C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 139fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 4081 39b1d3c-39b1d4e 4082 39b1f25-39b1f2a 4081->4082 4083 39b1d54-39b1d5e 4081->4083 4083->4082 4084 39b1d64-39b1d8e call 39b3600 FindFirstFileW 4083->4084 4084->4082 4087 39b1d94-39b1dd8 call 39b3508 call 39b363b 4084->4087 4092 39b1ddd-39b1e02 call 39b363b * 2 4087->4092 4097 39b1e08-39b1e21 call 39b3600 4092->4097 4098 39b1f01-39b1f06 4092->4098 4102 39b1e23-39b1e33 call 39b372b 4097->4102 4103 39b1e54-39b1e59 4097->4103 4101 39b1f0d-39b1f0f 4098->4101 4104 39b1f1c-39b1f20 call 39b3536 4101->4104 4105 39b1f11-39b1f17 4101->4105 4102->4103 4112 39b1e35-39b1e45 call 39b372b 4102->4112 4107 39b1e5f-39b1e69 4103->4107 4108 39b1ef2-39b1efd 4103->4108 4104->4082 4105->4092 4107->4108 4110 39b1e6f-39b1e7c call 39b408d 4107->4110 4108->4098 4117 39b1eeb-39b1eed call 39b3536 4110->4117 4118 39b1e7e-39b1e95 call 39b363b call 39b3b60 4110->4118 4112->4103 4119 39b1e47-39b1e4a call 39b1d3c 4112->4119 4117->4108 4127 39b1eac-39b1edc call 39b3600 call 39b3eb6 4118->4127 4128 39b1e97-39b1e9c 4118->4128 4124 39b1e4f 4119->4124 4124->4108 4134 39b1ee1-39b1ee4 4127->4134 4128->4127 4129 39b1e9e-39b1ea3 4128->4129 4129->4127 4131 39b1ea5-39b1eaa 4129->4131 4131->4117 4131->4127 4134->4117
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?), ref: 039B1D83
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • FindNextFileW.KERNELBASE(00000000,?), ref: 039B1F07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                                              • String ID: %s%s$%s\%s$%s\*$p2Wu 2Wu
                                                              • API String ID: 3555643018-2720432865
                                                              • Opcode ID: 4adfcd760b9ce20dace10c24180fe03ccb93bbe357426c66514317937abd705d
                                                              • Instruction ID: 10d5fee29b202c40abfbbb888b13c6b3703b452c4444857e20b05e42163557d1
                                                              • Opcode Fuzzy Hash: 4adfcd760b9ce20dace10c24180fe03ccb93bbe357426c66514317937abd705d
                                                              • Instruction Fuzzy Hash: 6841AE7960C3459BC714EB64DAE0AFEB7B9AFC8640F04091EE855CB2A1EB31C9058796
                                                              Function 039B1C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5899 39b1c94-39b1ccf call 39b46d4 5902 39b1d2f-39b1d3b 5899->5902 5903 39b1cd1-39b1cf8 call 39b3576 CryptUnprotectData 5899->5903 5906 39b1cfa-39b1d03 5903->5906 5907 39b1d05-39b1d0a 5903->5907 5906->5902 5907->5902 5908 39b1d0c-39b1d29 CryptProtectData 5907->5908 5908->5902
                                                              APIs
                                                                • Part of subcall function 039B46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,039B4812), ref: 039B46E6
                                                                • Part of subcall function 039B46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,039B4812), ref: 039B46F3
                                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 039B1CF3
                                                              • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 039B1D29
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                                              • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                                              • API String ID: 3642467563-1885057629
                                                              • Opcode ID: 74c8b3c43c3579ca4f9358867e7b506a7af54bd1ba57264b99cf66456bfa02bc
                                                              • Instruction ID: 83a135ce3d355dd1ce661e6e11ae0f2e643f8069cc46d6dda630b7f2db336f08
                                                              • Opcode Fuzzy Hash: 74c8b3c43c3579ca4f9358867e7b506a7af54bd1ba57264b99cf66456bfa02bc
                                                              • Instruction Fuzzy Hash: D7111DB6D0020DABDB10DFD5C9808EEBBBDEF48250F14456AE945B7240E770AE05CBA0
                                                              Function 039B21F5 Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 304synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 39b21f5-39b2212 InitializeCriticalSectionAndSpinCount 1 39b2219-39b222f CreateMutexA 0->1 2 39b2214 0->2 3 39b2678-39b267a ExitProcess 1->3 4 39b2235-39b2240 GetLastError 1->4 5 39b2680 2->5 4->3 6 39b2246-39b2255 call 39b3bd2 4->6 9 39b225b-39b2285 call 39b3576 call 39b47e6 6->9 10 39b264f-39b266f DeleteCriticalSection 6->10 15 39b228b-39b22d0 call 39b35db call 39b484b 9->15 16 39b2647-39b264a call 39b3536 9->16 10->3 15->16 22 39b22d6-39b230a call 39b3508 * 3 15->22 16->10 29 39b25df-39b262e call 39b3d76 call 39b3536 * 4 call 39b3bfb 22->29 30 39b2310-39b2317 22->30 60 39b2631-39b2637 call 39b536d 29->60 30->29 31 39b231d-39b2324 30->31 31->29 33 39b232a-39b2366 call 39b46d4 31->33 33->29 40 39b236c-39b2381 call 39b1f2d 33->40 46 39b2383-39b23ba call 39b46d4 40->46 47 39b23c1-39b23db 40->47 46->47 53 39b23bc 46->53 54 39b23dd-39b23df ExitProcess 47->54 55 39b23e5-39b2410 call 39b363b 47->55 53->5 64 39b241a-39b2445 call 39b363b 55->64 65 39b2412-39b2414 ExitProcess 55->65 63 39b263c-39b2643 60->63 63->16 66 39b2645 63->66 70 39b244f-39b24bd call 39b363b call 39b4ba2 CreateThread * 2 WaitForMultipleObjects call 39b19df call 39b2054 64->70 71 39b2447-39b2449 ExitProcess 64->71 66->60 80 39b24c7-39b24ce 70->80 81 39b2501-39b251d ObtainUserAgentString 80->81 82 39b24d0-39b24d9 80->82 83 39b251f-39b2532 call 39b35db 81->83 84 39b2535-39b25a0 call 39b5239 * 6 call 39b3508 81->84 85 39b24db-39b24f5 82->85 86 39b24ff 82->86 83->84 104 39b25b2-39b25da call 39b363b call 39b5239 * 2 call 39b3536 84->104 105 39b25a2-39b25ac GetModuleFileNameW 84->105 85->86 86->80 104->29 105->104
                                                              APIs
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(039B84D4,00000DA3), ref: 039B220A
                                                              • CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 039B2222
                                                              • GetLastError.KERNEL32 ref: 039B2235
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                                              • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$p2Wu 2Wu$shell32$systemd
                                                              • API String ID: 2005177960-4090078927
                                                              • Opcode ID: 4a44e4b6fe375cb3bb23570d375d4ebe3469338cb8937253a0bf5e3165272368
                                                              • Instruction ID: 1e2a72f6ee87f7e8536970d0662870a0ec005475639c7a67f4429e17fb15b780
                                                              • Opcode Fuzzy Hash: 4a44e4b6fe375cb3bb23570d375d4ebe3469338cb8937253a0bf5e3165272368
                                                              • Instruction Fuzzy Hash: 3CC1E134908388EEEB15FBA4DF49BED7B7AEF89700F040459E145AE1D1EBB14A45CB21
                                                              Function 039B446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 039B407D: GetFileAttributesW.KERNELBASE(039B5051,039B447E,?,?,?,?,?,?,?,?,?,?,?,?,?,039B3ECC), ref: 039B407E
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • EnterCriticalSection.KERNEL32(039B84D4), ref: 039B44F5
                                                              • LeaveCriticalSection.KERNEL32(039B84D4), ref: 039B4541
                                                              • EnterCriticalSection.KERNEL32(039B84D4), ref: 039B45C4
                                                              • LeaveCriticalSection.KERNEL32(039B84D4), ref: 039B45FD
                                                              • EnterCriticalSection.KERNEL32(039B84D4), ref: 039B463A
                                                              • LeaveCriticalSection.KERNEL32(039B84D4), ref: 039B467D
                                                              • EnterCriticalSection.KERNEL32(039B84D4), ref: 039B4696
                                                              • LeaveCriticalSection.KERNEL32(039B84D4), ref: 039B46BF
                                                                • Part of subcall function 039B42EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,039B4574), ref: 039B4305
                                                                • Part of subcall function 039B42EC: GetProcAddress.KERNEL32(00000000), ref: 039B430E
                                                                • Part of subcall function 039B42EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,039B4574), ref: 039B431F
                                                                • Part of subcall function 039B42EC: GetProcAddress.KERNEL32(00000000), ref: 039B4322
                                                                • Part of subcall function 039B42EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,039B4574), ref: 039B43A4
                                                                • Part of subcall function 039B42EC: GetCurrentProcess.KERNEL32(039B4574,00000000,00000000,00000002,?,?,?,?,039B4574), ref: 039B43C0
                                                                • Part of subcall function 039B42EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,039B4574), ref: 039B43CF
                                                                • Part of subcall function 039B42EC: CloseHandle.KERNEL32(039B4574,?,?,?,?,039B4574), ref: 039B43FF
                                                                • Part of subcall function 039B3536: GetProcessHeap.KERNEL32(00000000,00000000,039B518A), ref: 039B353D
                                                                • Part of subcall function 039B3536: RtlFreeHeap.NTDLL(00000000), ref: 039B3544
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                                                              • String ID: @$\??\%s$\Network\Cookies
                                                              • API String ID: 330363434-2791195959
                                                              • Opcode ID: e9961c6211c51792ee9560b4b52991a26fe874c4e2587656d325b8a4c2da2114
                                                              • Instruction ID: e9775ee6d1c95786c12d2baecfbd97e5cad2b8099fe760fa59f83dd4aa0f5f7c
                                                              • Opcode Fuzzy Hash: e9961c6211c51792ee9560b4b52991a26fe874c4e2587656d325b8a4c2da2114
                                                              • Instruction Fuzzy Hash: F1716E75944208EFEB04EF90DA49BEDBBBAFF88704F108115F501AE1D1EBB19A45DB40
                                                              Function 039B536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2955 39b536d-39b53f6 call 39b46d4 2958 39b53f8-39b53fa 2955->2958 2959 39b53ff-39b5457 2955->2959 2960 39b553e-39b5541 2958->2960 2962 39b553b 2959->2962 2963 39b545d-39b548b call 39b5361 socket 2959->2963 2962->2960 2966 39b5531-39b5534 2963->2966 2967 39b5491-39b54a8 call 39b52cf call 39b3576 2963->2967 2966->2962 2972 39b54a9-39b54af 2967->2972 2973 39b54b1-39b54c6 connect 2972->2973 2974 39b5524-39b552a 2972->2974 2975 39b54c8-39b54e8 send 2973->2975 2976 39b5517-39b5522 Sleep 2973->2976 2974->2966 2975->2976 2977 39b54ea-39b5504 send 2975->2977 2976->2972 2977->2976 2978 39b5506-39b5515 call 39b3536 2977->2978 2978->2974
                                                              APIs
                                                                • Part of subcall function 039B46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,039B4812), ref: 039B46E6
                                                                • Part of subcall function 039B46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,039B4812), ref: 039B46F3
                                                              • socket.WS2_32(?,00000001,00000000), ref: 039B5480
                                                              • connect.WS2_32(000000FF,?,00000010), ref: 039B54BF
                                                              • send.WS2_32(000000FF,00000000,00000000), ref: 039B54E1
                                                              • send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 039B54FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: send$HandleLibraryLoadModuleconnectsocket
                                                              • String ID: 146.70.169.164$ws2_32.dll
                                                              • API String ID: 2781119014-4085977579
                                                              • Opcode ID: fe9bebb4fc0a695b68c4848b175815daac46a1f3d9bddc90b512260e7d34b4d6
                                                              • Instruction ID: 8da63adde2a07fdd722407016b6f28a3ff1a4ca5631221c5f9e9dbec65c0dc24
                                                              • Opcode Fuzzy Hash: fe9bebb4fc0a695b68c4848b175815daac46a1f3d9bddc90b512260e7d34b4d6
                                                              • Instruction Fuzzy Hash: 8E519430C082C9EEEB11CBE8D9097EDBFB89F16314F144589D660AE2C1D3B54746CB61
                                                              Function 0044F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: d4137abde05eb6284f1f255d9d1e2e5f224ebbd0f55ebe316855f986006acfd5
                                                              • Instruction ID: f0fff3c8a1a8181b71e14d2174fd4a1ff103814af665373ea0b136dc505e107f
                                                              • Opcode Fuzzy Hash: d4137abde05eb6284f1f255d9d1e2e5f224ebbd0f55ebe316855f986006acfd5
                                                              • Instruction Fuzzy Hash: E3634774C00A1CCADB22DF64D99169EF775FF56345F1082CAD80A3A202EB35AAD5CF49
                                                              Function 00453FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3855 453fe0-454015 3857 4542a1-4542b9 3855->3857 3858 45401b-454022 3855->3858 3863 454554-45456c 3857->3863 3864 4542bf-4542c9 3857->3864 3860 45402d-454033 3858->3860 3861 4540e4-4540eb 3860->3861 3862 454039-454050 3860->3862 3868 4540f6-4540fc 3861->3868 3866 45405b-454061 3862->3866 3873 454572-454579 3863->3873 3874 4547f8-454810 3863->3874 3867 4542da-4542e3 3864->3867 3869 454063-4540cb call 441dc0 call 441cc0 3866->3869 3870 4540cd-4540df 3866->3870 3871 454397-45439e 3867->3871 3872 4542e9-454300 3867->3872 3875 4541c0-4541c7 3868->3875 3876 454102-454109 3868->3876 3869->3866 3870->3860 3884 4543a9-4543af 3871->3884 3880 45430b-454311 3872->3880 3881 454584-45458a 3873->3881 3889 454a36-454a3d 3874->3889 3890 454816-45481d 3874->3890 3882 4541d2-4541d8 3875->3882 3877 454114-45411a 3876->3877 3887 454120-4541b6 call 441d90 call 441de0 call 441d10 3877->3887 3888 4541bb 3877->3888 3892 454380-454392 3880->3892 3893 454313-45437e call 441dc0 call 441cc0 3880->3893 3894 454590-4545a7 3881->3894 3895 45463b-454642 3881->3895 3896 454236-45423f 3882->3896 3897 4541da-4541e1 3882->3897 3885 4543b5-4543bc 3884->3885 3886 454473-45447a 3884->3886 3906 4543c7-4543cd 3885->3906 3911 454485-45448b 3886->3911 3887->3877 3888->3868 3901 454a43-454ba4 call 444c60 call 4445b0 call 444a60 call 444550 GetModuleHandleA GetProcAddress call 444e20 call 444670 call 444ff0 call 444670 call 4451b0 call 444670 call 445370 call 444690 call 445530 call 444690 call 445610 call 4446b0 call 4456f0 call 4446b0 call 4a0910 VirtualProtect * 2 call 4a0910 VirtualProtect 3889->3901 3902 454bae-454bb1 3889->3902 3909 454828-45482e 3890->3909 3892->3867 3893->3880 3904 4545b2-4545b8 3894->3904 3912 45464d-454653 3895->3912 3907 454246-454248 3896->3907 3908 454241-454245 3896->3908 3905 4541ec-4541f2 3897->3905 3901->3902 3918 454624-454636 3904->3918 3919 4545ba-454622 call 441dc0 call 441cc0 3904->3919 3920 454234 3905->3920 3921 4541f4-454232 call 441e00 3905->3921 3922 4543d3-454469 call 441d90 call 441de0 call 441d10 3906->3922 3923 45446e 3906->3923 3924 454274-454299 call 4a4870 3907->3924 3925 45424a-454272 call 4a4870 3907->3925 3908->3907 3926 454834-45484b 3909->3926 3927 4548df-4548e6 3909->3927 3929 45448d-454494 3911->3929 3930 4544e9-4544f2 3911->3930 3913 454717-45471e 3912->3913 3914 454659-454660 3912->3914 3937 454729-45472f 3913->3937 3931 45466b-454671 3914->3931 3918->3881 3919->3904 3920->3882 3921->3905 3922->3906 3923->3884 3986 45429c 3924->3986 3925->3986 3944 454856-45485c 3926->3944 3939 4548f1-4548f7 3927->3939 3949 45449f-4544a5 3929->3949 3933 4544f4-4544f8 3930->3933 3934 4544f9-4544fb 3930->3934 3952 454677-45470d call 441d90 call 441de0 call 441d10 3931->3952 3953 454712 3931->3953 3933->3934 3955 454527-45454c call 4a4870 3934->3955 3956 4544fd-454525 call 4a4870 3934->3956 3958 454731-454738 3937->3958 3959 45478d-454796 3937->3959 3961 4548fd-454904 3939->3961 3962 4549bb-4549c2 3939->3962 3966 45485e-4548c6 call 441dc0 call 441cc0 3944->3966 3967 4548c8-4548da 3944->3967 3950 4544e7 3949->3950 3951 4544a7-4544e5 call 441e00 3949->3951 3950->3911 3951->3949 3952->3931 3953->3912 4011 45454f 3955->4011 3956->4011 3979 454743-454749 3958->3979 3984 45479d-45479f 3959->3984 3985 454798-45479c 3959->3985 3981 45490f-454915 3961->3981 3989 4549cd-4549d3 3962->3989 3966->3944 3967->3909 3998 45478b 3979->3998 3999 45474b-454789 call 441e00 3979->3999 4001 4549b6 3981->4001 4002 45491b-4549b1 call 441d90 call 441de0 call 441d10 3981->4002 4004 4547a1-4547c9 call 4a4870 3984->4004 4005 4547cb-4547f0 call 4a4870 3984->4005 3985->3984 3986->3857 3990 4549d5-4549dc 3989->3990 3991 454a31 3989->3991 4007 4549e7-4549ed 3990->4007 3991->3889 3998->3937 3999->3979 4001->3939 4002->3981 4039 4547f3 4004->4039 4005->4039 4022 454a2f 4007->4022 4023 4549ef-454a2d call 441e00 4007->4023 4011->3863 4022->3989 4023->4007 4039->3874
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 40a89a2f4d4875c30912881398c8260e686628a1ed6c5af8e9e836d53c093eb1
                                                              • Instruction ID: 8f61d37cbfb13cee6929cfeda52579fd79098b6fe4e267447921662eddd34652
                                                              • Opcode Fuzzy Hash: 40a89a2f4d4875c30912881398c8260e686628a1ed6c5af8e9e836d53c093eb1
                                                              • Instruction Fuzzy Hash: 12723A70C00A1CDBCB11DFA4D8916EEB775FF96349F10828AE80A3A242DB355AD5DF49
                                                              Function 004559F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 8768bc49777b57dfed6f19bd1d5754e923e0f90753de38e378fd7a1f43c80226
                                                              • Instruction ID: afa248acd709dcb01d8fa323a68c0b6d575ade8274679c3616a80b134a9c2d97
                                                              • Opcode Fuzzy Hash: 8768bc49777b57dfed6f19bd1d5754e923e0f90753de38e378fd7a1f43c80226
                                                              • Instruction Fuzzy Hash: 18D33771C04A1CCACB22DF24D9916AEF775FF56345F1082CAD80A3A242DB35AAD5CF49
                                                              Function 039B484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5787 39b484b-39b485a 5788 39b4b90 5787->5788 5789 39b4860-39b4879 VirtualAlloc 5787->5789 5790 39b4b96-39b4b99 5788->5790 5789->5788 5791 39b487f-39b48a3 call 39b46d4 5789->5791 5792 39b4b9c-39b4ba1 5790->5792 5795 39b48a9-39b48be call 39b354b 5791->5795 5796 39b4b8c-39b4b8e 5791->5796 5799 39b48c0-39b48c7 5795->5799 5796->5792 5800 39b48c9-39b48ce 5799->5800 5801 39b48d2-39b48d5 5799->5801 5800->5799 5802 39b48d0 5800->5802 5803 39b48d9-39b4900 GetCurrentProcess IsWow64Process call 39b5239 5801->5803 5802->5803 5806 39b4990-39b4993 5803->5806 5807 39b4906-39b490b 5803->5807 5808 39b49e0-39b49e3 5806->5808 5809 39b4995-39b4998 5806->5809 5810 39b490d-39b491d 5807->5810 5811 39b492c-39b4931 5807->5811 5815 39b49e9-39b49ee 5808->5815 5816 39b4a8e-39b4a94 5808->5816 5812 39b499a-39b49b6 5809->5812 5813 39b49b8-39b49bc 5809->5813 5814 39b491f-39b4927 5810->5814 5817 39b4933-39b4938 5811->5817 5818 39b4971-39b4974 5811->5818 5823 39b4a32-39b4a3f 5812->5823 5813->5788 5824 39b49c2-39b49de 5813->5824 5814->5823 5825 39b4a10-39b4a12 5815->5825 5826 39b49f0-39b4a0e 5815->5826 5821 39b4a9a-39b4aa0 5816->5821 5822 39b4b2f-39b4b32 5816->5822 5817->5810 5827 39b493a-39b493c 5817->5827 5819 39b497f-39b498e 5818->5819 5820 39b4976-39b4979 5818->5820 5819->5814 5820->5788 5820->5819 5828 39b4aa2-39b4abb 5821->5828 5829 39b4ac0-39b4ac6 5821->5829 5822->5788 5830 39b4b34-39b4b55 5822->5830 5823->5790 5824->5823 5831 39b4a44-39b4a47 5825->5831 5832 39b4a14-39b4a2d 5825->5832 5826->5823 5827->5810 5833 39b493e-39b4941 5827->5833 5828->5790 5840 39b4ac8-39b4ae1 5829->5840 5841 39b4ae6-39b4aec 5829->5841 5834 39b4b77 5830->5834 5835 39b4b57-39b4b5d 5830->5835 5838 39b4a49-39b4a62 5831->5838 5839 39b4a67-39b4a6a 5831->5839 5832->5823 5836 39b4943-39b4955 5833->5836 5837 39b4957-39b495a 5833->5837 5845 39b4b7c-39b4b83 5834->5845 5835->5834 5842 39b4b5f-39b4b65 5835->5842 5836->5814 5837->5788 5843 39b4960-39b496f 5837->5843 5838->5790 5839->5788 5844 39b4a70-39b4a89 5839->5844 5840->5790 5846 39b4aee-39b4b07 5841->5846 5847 39b4b0c-39b4b12 5841->5847 5842->5834 5848 39b4b67-39b4b6d 5842->5848 5843->5814 5844->5790 5845->5790 5846->5790 5847->5830 5849 39b4b14-39b4b2d 5847->5849 5848->5834 5850 39b4b6f-39b4b75 5848->5850 5849->5790 5850->5834 5851 39b4b85-39b4b8a 5850->5851 5851->5845
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,039B22C4), ref: 039B486C
                                                                • Part of subcall function 039B46D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,039B4812), ref: 039B46E6
                                                                • Part of subcall function 039B46D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,039B4812), ref: 039B46F3
                                                              • GetCurrentProcess.KERNEL32(039B22C4), ref: 039B48E0
                                                              • IsWow64Process.KERNEL32(00000000), ref: 039B48E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                                              • String ID: l$ntdl
                                                              • API String ID: 1207166019-924918826
                                                              • Opcode ID: 94cc35e62a94177e10e245c5468f6915544fdc5ea6de81a78a8c36d3c629e13e
                                                              • Instruction ID: fc28a7a83ad05135342ff4ed8f3f54f0cae961b47726884deb4c10bbb9f3be86
                                                              • Opcode Fuzzy Hash: 94cc35e62a94177e10e245c5468f6915544fdc5ea6de81a78a8c36d3c629e13e
                                                              • Instruction Fuzzy Hash: 0581D23060C352DAEB24EE55EB5ABF9337DFB04B50F14095AE3099F2C6E7B489449B06
                                                              Function 0049FCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5852 49fca5-49fcbd call 4a7e88 5855 49fcbf-49fccb 5852->5855 5856 49fcd0-49fd06 call 4a7e5d call 49ffb3 call 4a0489 5852->5856 5857 49fdb9-49fdc8 5855->5857 5865 49fd08-49fd11 call 49ff1f 5856->5865 5866 49fd23-49fd2c call 4a048f 5856->5866 5865->5866 5871 49fd13-49fd21 5865->5871 5872 49fd2e-49fd37 call 49ff1f 5866->5872 5873 49fd41-49fd56 call 4a05aa call 4a7e0a call 45cf50 5866->5873 5871->5866 5872->5873 5880 49fd39-49fd40 call 4a8191 5872->5880 5885 49fd5b-49fd64 call 4a05e0 5873->5885 5880->5873 5888 49fdd0-49fdde call 4a81b7 call 4a817b 5885->5888 5889 49fd66-49fd68 5885->5889 5891 49fd6a call 4a816c 5889->5891 5892 49fd6f-49fd82 call 49ffd0 5889->5892 5891->5892 5892->5857
                                                              APIs
                                                              • ___scrt_release_startup_lock.LIBCMT ref: 0049FCF5
                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0049FD09
                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0049FD2F
                                                              • ___scrt_uninitialize_crt.LIBCMT ref: 0049FD72
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                                                              • String ID: VPWh
                                                              • API String ID: 3089971210-353207083
                                                              • Opcode ID: ebe178c4080110a3704f089e0ae4ace9b3f58741b32285d2ef740596bca42b3e
                                                              • Instruction ID: 68b3306cf5b454f0e7e75156aff33ce4733e0dd8412e3434e08eff8084b32163
                                                              • Opcode Fuzzy Hash: ebe178c4080110a3704f089e0ae4ace9b3f58741b32285d2ef740596bca42b3e
                                                              • Instruction Fuzzy Hash: C82107325482115ADE307B6A6C07A9F6B64DF53728F20023FF581A72C2DF2D4C06959D
                                                              Function 00453052 Relevance: 6.0, APIs: 4, Instructions: 32librarysynchronizationthreadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5909 453052-453068 5911 4530ce-4530d1 5909->5911 5912 45306a-4530ca LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 5909->5912 5912->5911
                                                              APIs
                                                              • LoadLibraryA.KERNELBASE(?), ref: 0045307F
                                                              • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 004530A2
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004530B7
                                                              • FreeLibrary.KERNEL32(?), ref: 004530C4
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Library$CreateFreeLoadObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 2432312608-0
                                                              • Opcode ID: 6023a4511b0ed1ecb6149e5ba4c839a59542371418399c8e16bdc40acbfddc96
                                                              • Instruction ID: f85d6a4bd3a822bc389c3cb7b9689ec4dbe4d7d735bd1e10c95675ec7aacffcf
                                                              • Opcode Fuzzy Hash: 6023a4511b0ed1ecb6149e5ba4c839a59542371418399c8e16bdc40acbfddc96
                                                              • Instruction Fuzzy Hash: F7011D7098031C9BDB649F54DC8DBA97734FB14715F1006D8EA19572A1CAB56E80CF58
                                                              Function 039B3508 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                              • GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                              • LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                              • String ID:
                                                              • API String ID: 1367039788-0
                                                              • Opcode ID: e160a0aa3ec5b370f58fb6017564f4f21e57271eb82e39463341c697a1675fce
                                                              • Instruction ID: 0f35f72c30cf6e306e61e8a46d136e277d6f7450af96c57b1cd6109b493f6c58
                                                              • Opcode Fuzzy Hash: e160a0aa3ec5b370f58fb6017564f4f21e57271eb82e39463341c697a1675fce
                                                              • Instruction Fuzzy Hash: 61D09E3260912067CB503BE9BA4D99BAA6CEFD9561705065BF205DB154EAB48C0587A0
                                                              Function 039B46D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5914 39b46d4-39b46f0 GetModuleHandleA 5915 39b46f2-39b46fd LoadLibraryA 5914->5915 5916 39b4706-39b470e 5914->5916 5915->5916 5917 39b46ff-39b4701 5915->5917 5918 39b47dd 5916->5918 5919 39b4714-39b471f 5916->5919 5920 39b47e0-39b47e5 5917->5920 5918->5920 5919->5918 5921 39b4725-39b472e 5919->5921 5921->5918 5922 39b4734-39b4739 5921->5922 5922->5918 5923 39b473f-39b4743 5922->5923 5923->5918 5924 39b4749-39b476e 5923->5924 5925 39b47dc 5924->5925 5926 39b4770-39b477b 5924->5926 5925->5918 5927 39b477d-39b4787 5926->5927 5928 39b4789-39b47a3 call 39b3625 call 39b3b60 5927->5928 5929 39b47cc-39b47da 5927->5929 5934 39b47b1-39b47c9 5928->5934 5935 39b47a5-39b47ad 5928->5935 5929->5925 5929->5926 5934->5929 5935->5927 5936 39b47af 5935->5936 5936->5929
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,039B4812), ref: 039B46E6
                                                              • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,039B4812), ref: 039B46F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: HandleLibraryLoadModule
                                                              • String ID: ntdl
                                                              • API String ID: 4133054770-3973061744
                                                              • Opcode ID: c47c90cd1152fa752a13243d116ec937f7ec05af6ee4a8b3600d67a2f5d27f63
                                                              • Instruction ID: 2d4b50bd3c82168c53f0ed68e17c5cc29aeb11266b056e1c67fcbf8343d1aed2
                                                              • Opcode Fuzzy Hash: c47c90cd1152fa752a13243d116ec937f7ec05af6ee4a8b3600d67a2f5d27f63
                                                              • Instruction Fuzzy Hash: EC318D79E006199BCB24CF9EC9D0ABDF7B9FF4A714F08029AD411A7742D734A951CBA0
                                                              Function 0049C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 0049C9E8
                                                              • task.LIBCPMTD ref: 0049C9F6
                                                              Strings
                                                              • }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 0049C92A
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Concurrency::task_continuation_context::task_continuation_contexttask
                                                              • String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
                                                              • API String ID: 605201214-2946796713
                                                              • Opcode ID: 7cf3f687b2f83394f519d9372985090b4888ffa1a6c69f92836c8a77a454d404
                                                              • Instruction ID: 8e19dc65c1cc99acd29ee09c839559ed418d823ccfee078cdf838ff1dce764b8
                                                              • Opcode Fuzzy Hash: 7cf3f687b2f83394f519d9372985090b4888ffa1a6c69f92836c8a77a454d404
                                                              • Instruction Fuzzy Hash: 2031E3B1D04119DBDF04DF99C992BEEBBB1FB49304F20416AE415B7281DB786A04CBA5
                                                              Function 004AEDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __freea.LIBCMT ref: 004AEF97
                                                                • Part of subcall function 004AAC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0049FB1F,00000000,?,0045322C,00000000,?,004413A5,00000000), ref: 004AAC47
                                                              • __freea.LIBCMT ref: 004AEFAA
                                                              • __freea.LIBCMT ref: 004AEFB7
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: __freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 2243444508-0
                                                              • Opcode ID: fb50c2443222d39842dce6ed4f57a60406ca4d5d256f03d5e4af4362a752b03e
                                                              • Instruction ID: 653e6bf68659c77b371d248c28ac9942f90821e4e480534fcd4a1f01f47211ec
                                                              • Opcode Fuzzy Hash: fb50c2443222d39842dce6ed4f57a60406ca4d5d256f03d5e4af4362a752b03e
                                                              • Instruction Fuzzy Hash: 7051B272600206BFEF219F629C85EAB7AA9EF66314F15002FFD24D7251E738CC50D669
                                                              Function 004B2F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004B2A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 004B2AC0
                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,004B2DA5,?,00000000,?,00000000,?), ref: 004B2FC2
                                                              • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,004B2DA5,?,00000000,?,00000000,?), ref: 004B2FFE
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: CodeInfoPageValid
                                                              • String ID:
                                                              • API String ID: 546120528-0
                                                              • Opcode ID: a29c584404be1b1ad97c8c13038846620fa3d57d733b24250f5d1095f1d3d14b
                                                              • Instruction ID: 2e3d039ab46f14c212e88b8d69c6b31d74a9ee370df0c1aff47162a3cc468ce8
                                                              • Opcode Fuzzy Hash: a29c584404be1b1ad97c8c13038846620fa3d57d733b24250f5d1095f1d3d14b
                                                              • Instruction Fuzzy Hash: 15513770A003459EDB20DF3AC881AEBFBF4EF55304F14856FD18687251D6BD9A06CB69
                                                              Function 004AE1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringEx.KERNELBASE(?,004AEED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 004AE207
                                                              • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,004AEED2,?,?,-00000008,?,00000000), ref: 004AE225
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: String
                                                              • String ID:
                                                              • API String ID: 2568140703-0
                                                              • Opcode ID: b71cc5015ca926888c9c8c9feb654987e7054d14415f2b8a0eba80021c854803
                                                              • Instruction ID: eebab948241c13a3a451056fb69cebdab0372e3addbfe2bd6415c71960fdddc2
                                                              • Opcode Fuzzy Hash: b71cc5015ca926888c9c8c9feb654987e7054d14415f2b8a0eba80021c854803
                                                              • Instruction Fuzzy Hash: 76F07A3240011AFBCF126F92DC05EDE3F2AFF59760F058515FA2826120C736D831AB99
                                                              Function 039B3536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,039B518A), ref: 039B353D
                                                              • RtlFreeHeap.NTDLL(00000000), ref: 039B3544
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Heap$FreeProcess
                                                              • String ID:
                                                              • API String ID: 3859560861-0
                                                              • Opcode ID: acd86c4fd27398319512f5950d61a835987c3391b3311ad605215513913f16e4
                                                              • Instruction ID: 2affa1296cceac4f298e62e6acf49f1b1f20f8757e59f5d7286254b0251701cc
                                                              • Opcode Fuzzy Hash: acd86c4fd27398319512f5950d61a835987c3391b3311ad605215513913f16e4
                                                              • Instruction Fuzzy Hash: 07B092745091006AEE48ABE19B4EB7A3628AF80703F04028DB20699048A6B880008620
                                                              Function 004B2B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,004B2DA5,?), ref: 004B2B9B
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Info
                                                              • String ID:
                                                              • API String ID: 1807457897-0
                                                              • Opcode ID: ca34b0d0a932b88446d4a38ef9c6a615c0c962919a5523cfd94301c8ef839ac3
                                                              • Instruction ID: 6a68fac35b8f5fad500242e9e9163d9c2c1a8eb84136adc85220843a5a6d4a07
                                                              • Opcode Fuzzy Hash: ca34b0d0a932b88446d4a38ef9c6a615c0c962919a5523cfd94301c8ef839ac3
                                                              • Instruction Fuzzy Hash: 6A5159B1508158AFDB118F28CE84BEABF7CFB16304F1401EAE09987142C3B9AD85DB74
                                                              Function 0049FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 004A037B
                                                                • Part of subcall function 004A106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,004A038E,?,?,?,?,004A038E,?,004C8484), ref: 004A10CC
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaisestdext::threads::lock_error::lock_error
                                                              • String ID:
                                                              • API String ID: 3447279179-0
                                                              • Opcode ID: e3be156ae10305c907634cc7b31913c1889c1f8f7884e8cdf344c64aaf6751e8
                                                              • Instruction ID: 60079fb62563850a5ae39e2d74793b7d5f6691cc3e24ae6f38cfde654e89fdfb
                                                              • Opcode Fuzzy Hash: e3be156ae10305c907634cc7b31913c1889c1f8f7884e8cdf344c64aaf6751e8
                                                              • Instruction Fuzzy Hash: ACF0BB3490420DB6CF04BAA6EC16E9E3B6C5911354F60413BB964954E2EF7CF649C19D
                                                              Function 00441460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • Concurrency::cancel_current_task.LIBCPMTD ref: 00441477
                                                                • Part of subcall function 00453D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00453D89
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
                                                              • String ID:
                                                              • API String ID: 2103942186-0
                                                              • Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                              • Instruction ID: 012c671034d8ca14afae4a0d21e2dbdaff0e83feff946a997deea1fd14217eda
                                                              • Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                              • Instruction Fuzzy Hash: F3F04F74D01108ABDB04EFB8D5816AEF7B1EF84345F1081AAE80597355E638AF90DB89
                                                              Function 004AAC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0049FB1F,00000000,?,0045322C,00000000,?,004413A5,00000000), ref: 004AAC47
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 14d678456d6fd334bce6543f2337d173b70ec09d2b719a6c52a34bb0087c5355
                                                              • Instruction ID: b3999f9b32da5023f7c1c4700651a0da6cea42130c4586b60edb3959e1129eea
                                                              • Opcode Fuzzy Hash: 14d678456d6fd334bce6543f2337d173b70ec09d2b719a6c52a34bb0087c5355
                                                              • Instruction Fuzzy Hash: 09E0E521144A1567F73136269D01B9B7B889F633B4F140127BD04963D0CB6CCC10C2EF
                                                              Function 00477B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00454B9E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: e2a05dc14b85d5a7191c9587270d7b0219d055b7efc31e6627645f29679d2bd4
                                                              • Instruction ID: 5b83d4c43c2d97aae3aa1b8f233d45dca752125368348a0cfddb2fc37f2eabb1
                                                              • Opcode Fuzzy Hash: e2a05dc14b85d5a7191c9587270d7b0219d055b7efc31e6627645f29679d2bd4
                                                              • Instruction Fuzzy Hash: 88D012B6A1011887CB209F69AC0A7A2777CF744317F14529EE95847103DB3655168F85
                                                              Function 004413B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: allocator
                                                              • String ID:
                                                              • API String ID: 3447690668-0
                                                              • Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                              • Instruction ID: 64460c40cbefb1174f503cd73c2d397f8a0a4cbb06a8ebb619c003496687111e
                                                              • Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                              • Instruction Fuzzy Hash: 2DC09B3011410C5B8704DF89E491D55739D9BC87147004159BC1D4F352CA30FD40C958
                                                              Function 039B407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(039B5051,039B447E,?,?,?,?,?,?,?,?,?,?,?,?,?,039B3ECC), ref: 039B407E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 516155b05eb94ef0e3e651213c70a12d9691449418e13a3994204e1d53808951
                                                              • Instruction ID: 0d0034755f5c83631ce2c37e6f4304b08b834e5f3f5dacc47dbe5f968eb92959
                                                              • Opcode Fuzzy Hash: 516155b05eb94ef0e3e651213c70a12d9691449418e13a3994204e1d53808951
                                                              • Instruction Fuzzy Hash: C3A022380302008BCA2C2B300B2A00E30000F8A2F03220B8EB033CC0C0FA38C2800000
                                                              Function 00467EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00458B81
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 56983583e4846e0adc0067511551d4d3bcd211bb462ecde76f15f20161adfe87
                                                              • Instruction ID: 262da0644b039e3e327ee109b5c99540c3805503ac1c7c27dedea95b37b063b0
                                                              • Opcode Fuzzy Hash: 56983583e4846e0adc0067511551d4d3bcd211bb462ecde76f15f20161adfe87
                                                              • Instruction Fuzzy Hash: 2921E5B1C059688BDB62CF24C9827ADB7B9AF52341F1092CAD80D76202DB346AC59F15

                                                              Non-executed Functions

                                                              Function 039B3EFC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 039B407D: GetFileAttributesW.KERNELBASE(039B5051,039B447E,?,?,?,?,?,?,?,?,?,?,?,?,?,039B3ECC), ref: 039B407E
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 039B3F5D
                                                              • FindNextFileW.KERNEL32(039B1710,?), ref: 039B3FFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                                              • String ID: %s%s$%s\%s$%s\*$p2Wu 2Wu
                                                              • API String ID: 674214967-2720432865
                                                              • Opcode ID: 8cbdc709b2ec90943d80cbcae359026bf655dad2c24b545991f5f13f91ff4781
                                                              • Instruction ID: 1281e44a11d89a425659391fab7264b571d1755330f88b496ce64492b76576b3
                                                              • Opcode Fuzzy Hash: 8cbdc709b2ec90943d80cbcae359026bf655dad2c24b545991f5f13f91ff4781
                                                              • Instruction Fuzzy Hash: F0312A39E0031967DB21FA65CEC5AFDB7799FC1640F0801A9EC05AB391EB318E46CB50
                                                              Function 004B5458 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(?,2000000B,jWK,00000002,00000000,?,?,?,004B576A,?,00000000), ref: 004B54F1
                                                              • GetLocaleInfoW.KERNEL32(?,20001004,jWK,00000002,00000000,?,?,?,004B576A,?,00000000), ref: 004B551A
                                                              • GetACP.KERNEL32(?,?,004B576A,?,00000000), ref: 004B552F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID: ACP$OCP$jWK
                                                              • API String ID: 2299586839-2077913399
                                                              • Opcode ID: f0b00d21f1a272127388a1426481902345528c77e9f7a3c07612dee7905cdc66
                                                              • Instruction ID: c5ce2d9d96352792e8e551c9ce0091d88ea0cca87110e4b8d1929e6ff2d461d4
                                                              • Opcode Fuzzy Hash: f0b00d21f1a272127388a1426481902345528c77e9f7a3c07612dee7905cdc66
                                                              • Instruction Fuzzy Hash: F621C722600901B6DB308F54D905BD7F3A7AF50B62B668466E90AC7204F73ADD41D778
                                                              Function 039B40BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 039B410D
                                                              • FindNextFileW.KERNEL32(000000FF,?), ref: 039B4159
                                                                • Part of subcall function 039B3536: GetProcessHeap.KERNEL32(00000000,00000000,039B518A), ref: 039B353D
                                                                • Part of subcall function 039B3536: RtlFreeHeap.NTDLL(00000000), ref: 039B3544
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FileFindHeap$FirstFreeNextProcess
                                                              • String ID: %s\%s$%s\*$p2Wu 2Wu
                                                              • API String ID: 1689202581-2037778434
                                                              • Opcode ID: f5fe0e0ac50617456ddacc9bd0aa22929f9ba88a590ccc4b6f163f7f6b7a96bb
                                                              • Instruction ID: cb6953af3955b0ec43d429332e18ec70ec102fcac6356a075cfdd0b9c66eb988
                                                              • Opcode Fuzzy Hash: f5fe0e0ac50617456ddacc9bd0aa22929f9ba88a590ccc4b6f163f7f6b7a96bb
                                                              • Instruction Fuzzy Hash: B631BC38B00318ABCB10FE66CEC46EF77BDEF95640F144469D905DB346EB3499418B50
                                                              Function 004B5634 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004B573C
                                                              • IsValidCodePage.KERNEL32(00000000), ref: 004B577A
                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 004B578D
                                                              • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004B57D5
                                                              • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004B57F0
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                              • String ID:
                                                              • API String ID: 415426439-0
                                                              • Opcode ID: 3d229dde0747e8b539382e199085125f786ed06dc2a22f4dc803221b7f177000
                                                              • Instruction ID: 73e9fd3d4d8ab06f0e9a9ec98a77965fe6b5228385b573bcf5de4f4d2060056d
                                                              • Opcode Fuzzy Hash: 3d229dde0747e8b539382e199085125f786ed06dc2a22f4dc803221b7f177000
                                                              • Instruction Fuzzy Hash: C5518471A00609ABDB10EFA5CC41BFFB7B8BF09700F14446AE904E7291EB789951CB79
                                                              Function 004B4CBF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • GetACP.KERNEL32(?,?,?,?,?,?,004A89B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 004B4D7E
                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004A89B1,?,?,?,00000055,?,-00000050,?,?), ref: 004B4DB5
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004B4F18
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CodeInfoLocalePageValid
                                                              • String ID: utf8
                                                              • API String ID: 607553120-905460609
                                                              • Opcode ID: 1bcc3fb6fdc8fd0bc97dba2e73aac22ceded2c553211962b90b25afdac15c50d
                                                              • Instruction ID: 601085742d6bd818019a8bd414314c8a88741f833ffed89d122df31369e2c86d
                                                              • Opcode Fuzzy Hash: 1bcc3fb6fdc8fd0bc97dba2e73aac22ceded2c553211962b90b25afdac15c50d
                                                              • Instruction Fuzzy Hash: 0D71E931A00206AADB25AB75DC82BF773ACEF85704F10042BF615D7282EA7CE941867D
                                                              Function 004A0495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004A04A1
                                                              • IsDebuggerPresent.KERNEL32 ref: 004A056D
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A0586
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 004A0590
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                              • String ID:
                                                              • API String ID: 254469556-0
                                                              • Opcode ID: a4cc44b2dae9a6eb2a6e6aeec7e875533691e4187117e8ee31e85d805c7ceb07
                                                              • Instruction ID: 334c4ca3b1d9a88a3959c04a249aa0894ebc25b0032eb5d4cfa8fa67b58f4224
                                                              • Opcode Fuzzy Hash: a4cc44b2dae9a6eb2a6e6aeec7e875533691e4187117e8ee31e85d805c7ceb07
                                                              • Instruction Fuzzy Hash: F7312975D01218DBDF20EFA4DC897CDBBB8AF18304F1041AAE50DAB250EB749A84CF48
                                                              Function 004B50DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004B5130
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004B517A
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004B5240
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale$ErrorLast
                                                              • String ID:
                                                              • API String ID: 661929714-0
                                                              • Opcode ID: 0792e6c82f32761b7886d70a5b7b4e76f3ea072d2d45876ce7d0ad423aca3d67
                                                              • Instruction ID: b9ed09b1854fcc7192db64e0edc68670b35e2947c05e73ca2163a8f8a6af8a6d
                                                              • Opcode Fuzzy Hash: 0792e6c82f32761b7886d70a5b7b4e76f3ea072d2d45876ce7d0ad423aca3d67
                                                              • Instruction Fuzzy Hash: E06191719106079BEB28AF29CC42BEAB7A8EF14344F1441BBED05C6285E77CD951CF68
                                                              Function 004A4383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004A447B
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004A4485
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 004A4492
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: 88544c1ce8cab3339913c4032a8762a2d9c04a4253faa012f119f0dfe729953d
                                                              • Instruction ID: d3f6358fac3bd7bc65c9ce8753f87662d479f45008e0cdc478d87e604880088d
                                                              • Opcode Fuzzy Hash: 88544c1ce8cab3339913c4032a8762a2d9c04a4253faa012f119f0dfe729953d
                                                              • Instruction Fuzzy Hash: 1831E3749012289BCB21DF65D888BCDBBB8BF59314F5042EAE50CA7290E7749F858F48
                                                              Function 004AD515 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004AD510,?,?,00000008,?,?,004B7A3B,00000000), ref: 004AD742
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaise
                                                              • String ID:
                                                              • API String ID: 3997070919-0
                                                              • Opcode ID: 47d63e2ab44fda961755b2d09c731f9f51ae90e2a096bf9a8cc4138956c01fdc
                                                              • Instruction ID: f75f6f698fbaa99787f6efc970f3b5d97425758d9187f7ee71b960defc1d3a11
                                                              • Opcode Fuzzy Hash: 47d63e2ab44fda961755b2d09c731f9f51ae90e2a096bf9a8cc4138956c01fdc
                                                              • Instruction Fuzzy Hash: 70B1AE35910608DFD718CF28C48AB657BE0FF16364F258659E89ACF7A1C339D992CB44
                                                              Function 004A013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004A0152
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor
                                                              • String ID:
                                                              • API String ID: 2325560087-0
                                                              • Opcode ID: b9ef73d4e784a5aa2f7c33062c05789f927d9ce7c7b259ada5ab3d769899460b
                                                              • Instruction ID: 8197943967d98f24f972d500513266609476ecb3a868865b9ab725688773cacc
                                                              • Opcode Fuzzy Hash: b9ef73d4e784a5aa2f7c33062c05789f927d9ce7c7b259ada5ab3d769899460b
                                                              • Instruction Fuzzy Hash: EA51AFB19056098FEB59CF65D886BAAB7F0FB58304F24807BC906EB351D3799D00CB98
                                                              Function 004B24BD Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fff141325620796591dde5bc7087a23facfbd2245d3bf610f222439c4ddd8220
                                                              • Instruction ID: dbbca598988465d73e232771f246c1f713cb8acfa74a26bfd564be16938a0668
                                                              • Opcode Fuzzy Hash: fff141325620796591dde5bc7087a23facfbd2245d3bf610f222439c4ddd8220
                                                              • Instruction Fuzzy Hash: EB41C575C05218AFDF24DF69CD99AEAB7B9AF45304F1442DEE40DD3201DA789E848F24
                                                              Function 004B532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004B5383
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$InfoLocale
                                                              • String ID:
                                                              • API String ID: 3736152602-0
                                                              • Opcode ID: 249c0b84830481aae764b174d46d18a4937f6b2e3180934d1099a4cfc5c0d6db
                                                              • Instruction ID: a1d8d91d37e7db58f12fac72c7cbb68d08e23673742ec82caab93ca315a215b2
                                                              • Opcode Fuzzy Hash: 249c0b84830481aae764b174d46d18a4937f6b2e3180934d1099a4cfc5c0d6db
                                                              • Instruction Fuzzy Hash: 46219032610606ABDB28AA25D851BFBB3E8EF55355B10507FED01C6241EB6CAD41CB68
                                                              Function 004B4FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • EnumSystemLocalesW.KERNEL32(004B50DC,00000001,00000000,?,-00000050,?,004B5710,00000000,?,?,?,00000055,?), ref: 004B5028
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem
                                                              • String ID:
                                                              • API String ID: 2417226690-0
                                                              • Opcode ID: 609c7b60b329abf560c5a9c87b6a3074906804f5fade3c476fada4374fd2d1ec
                                                              • Instruction ID: c59d748064fdd02dca4e7ae9e2b5534eae6a4b9942832f3570b57b5a16d343a4
                                                              • Opcode Fuzzy Hash: 609c7b60b329abf560c5a9c87b6a3074906804f5fade3c476fada4374fd2d1ec
                                                              • Instruction Fuzzy Hash: B31129362007059FDB18AF39C8916BAB791FF84358B14442EEA4647741D3796942D754
                                                              Function 004B555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004B52F8,00000000,00000000,?), ref: 004B558A
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$InfoLocale
                                                              • String ID:
                                                              • API String ID: 3736152602-0
                                                              • Opcode ID: fdee26dfc748327a6a683c8d3ae563e6b20dad38b4325c4c5936b2256749c5e1
                                                              • Instruction ID: 6c4b22e0b45d3b9fd8f312fe2eea925cb84dd60cfea48da5d0058ec2a4b46de8
                                                              • Opcode Fuzzy Hash: fdee26dfc748327a6a683c8d3ae563e6b20dad38b4325c4c5936b2256749c5e1
                                                              • Instruction Fuzzy Hash: ED01DB326006127BDB3866258C457FBB7B5DF40755F15442AED06E3284EA38FE41C6A8
                                                              Function 004B5051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • EnumSystemLocalesW.KERNEL32(004B532F,00000001,00000000,?,-00000050,?,004B56D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004B509B
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem
                                                              • String ID:
                                                              • API String ID: 2417226690-0
                                                              • Opcode ID: 044812d6f7d4172074a59b6a40f093d36a843a4810a58eaa15c968c52c2b41cc
                                                              • Instruction ID: e3e7e35444b328739bf21766b6b70ea52990023a273ef2f57b11c1a7ea5889e7
                                                              • Opcode Fuzzy Hash: 044812d6f7d4172074a59b6a40f093d36a843a4810a58eaa15c968c52c2b41cc
                                                              • Instruction Fuzzy Hash: B3F0C836300B045FDB247F3998817ABBB91EF80358B15442EFA4547780D6759C42C668
                                                              Function 004ADBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004A49CA: EnterCriticalSection.KERNEL32(-004CB8A8,?,004A76D7,00000000,004C8C40,0000000C,004A769F,?,?,004ADB90,?,?,004AAA8E,00000001,00000364,00000000), ref: 004A49D9
                                                              • EnumSystemLocalesW.KERNEL32(004ADBBA,00000001,004C8E30,0000000C,004ADF92,00000000), ref: 004ADBFF
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                              • String ID:
                                                              • API String ID: 1272433827-0
                                                              • Opcode ID: 404bbb1dd844c1cc67a99b100b4b2150d84b362783a81dd7139c2fab19b31014
                                                              • Instruction ID: 82281c0dab86ab111dd0b7aa3299725519e294946d2e101395f3521cb5067f40
                                                              • Opcode Fuzzy Hash: 404bbb1dd844c1cc67a99b100b4b2150d84b362783a81dd7139c2fab19b31014
                                                              • Instruction Fuzzy Hash: E6F03772A00218DFDB00EF99E802B9D77B0EB59724F10412BE9059B2A1CBB95900CB58
                                                              Function 004B4F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004AA8F0: GetLastError.KERNEL32(?,?,004A71B7,?,?,?,?,00000003,004A4382,?,004A42F1,?,00000000,004A4500), ref: 004AA8F4
                                                                • Part of subcall function 004AA8F0: SetLastError.KERNEL32(00000000,00000000,004A4500,?,?,?,?,?,00000000,?,?,004A459E,00000000,00000000,00000000,00000000), ref: 004AA996
                                                              • EnumSystemLocalesW.KERNEL32(004B4EC4,00000001,00000000,?,?,004B5732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 004B4FA2
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$EnumLocalesSystem
                                                              • String ID:
                                                              • API String ID: 2417226690-0
                                                              • Opcode ID: bee055afddbc890bfa2ae219212d1dc8635c7f2ac8af7a938e1e17f3b617b90e
                                                              • Instruction ID: d200d45d0b2fe3b827f2417d45de140140be767a794bcb2e0dd8ded2b6bd1537
                                                              • Opcode Fuzzy Hash: bee055afddbc890bfa2ae219212d1dc8635c7f2ac8af7a938e1e17f3b617b90e
                                                              • Instruction Fuzzy Hash: 08F0EC357002455BCF04AF35D8457BBBF94EFC1714B06405EEE058B692C6799C43C7A4
                                                              Function 004AE096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,004A9527,?,20001004,00000000,00000002,?,?,004A8B19), ref: 004AE0CA
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: InfoLocale
                                                              • String ID:
                                                              • API String ID: 2299586839-0
                                                              • Opcode ID: 287cbc8c8f4faa127884dceab9a602682dc96aac79d1082bf3eb11055e0b6a1e
                                                              • Instruction ID: bd1cb1a622f8999a1d295cb059cab7f2964d52227371515f58d4224d5f9eaac1
                                                              • Opcode Fuzzy Hash: 287cbc8c8f4faa127884dceab9a602682dc96aac79d1082bf3eb11055e0b6a1e
                                                              • Instruction Fuzzy Hash: B5E01A32500128BBCB122F62DC04B9E3A2AAF56760F044426FD15662618B759D21AA99
                                                              Function 004A0622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,0049FC56), ref: 004A0627
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: ba6d81dea579feb57bb6795d0ac7df815e604ebcb5e72bc016becd715ac41211
                                                              • Instruction ID: 14e5a68ba95460fa8080679bfdce6c83d59fff66b9eb075d015e362763274edf
                                                              • Opcode Fuzzy Hash: ba6d81dea579feb57bb6795d0ac7df815e604ebcb5e72bc016becd715ac41211
                                                              • Instruction Fuzzy Hash:
                                                              Function 004B5891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: 18b5381c599678c2e1727e31c3aa945beab94b0efad35182e27dbfdd9729f34e
                                                              • Instruction ID: 7e89abbcbb2be1ed623ea5f0b63a811c849c226f63117ea5645e55251e3c5b7b
                                                              • Opcode Fuzzy Hash: 18b5381c599678c2e1727e31c3aa945beab94b0efad35182e27dbfdd9729f34e
                                                              • Instruction Fuzzy Hash: 21A00270515505DB57404F355F0960937E9A545591F0541795545D6160D72444509A45
                                                              Function 004ABE09 Relevance: .6, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b229289c603441376208d48f3768ba4f5a6551f3c19b11e0364878ce7e5048d6
                                                              • Instruction ID: 6c0a664045ac5d641c57476bf5f059ba5bca5a04e7ab178e8ae9ab73a94d6d02
                                                              • Opcode Fuzzy Hash: b229289c603441376208d48f3768ba4f5a6551f3c19b11e0364878ce7e5048d6
                                                              • Instruction Fuzzy Hash: 7B325722D29F115ED7639638C8B23366249AFB73C4F15D737F81AB5AA5EB2CD4834108
                                                              Function 004B4775 Relevance: .3, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 8259a019e2d437c91ed0b1604f43ae8628ce4a3863bb49dbba77aa270f9de0b9
                                                              • Instruction ID: 3e8597325a9714e23265f5e3db35e73cf427b6b66316cc84b2cde32dfa2da87f
                                                              • Opcode Fuzzy Hash: 8259a019e2d437c91ed0b1604f43ae8628ce4a3863bb49dbba77aa270f9de0b9
                                                              • Instruction Fuzzy Hash: CCB11A755007419BDB38AF35CC82AF7B3A8EF94308F14452FE943C6682E679A946C728
                                                              Function 004A1490 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                              • Instruction ID: 9bbd7da9ead1aac299812b25b73310073f8653effdd4b95960007605d7c5b06f
                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                              • Instruction Fuzzy Hash: C011387760008253D614CA6DDAF45F7A395EAFB320F2C836BC0424B7B4C12AA8419608
                                                              Function 039B42EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,039B4574), ref: 039B4305
                                                              • GetProcAddress.KERNEL32(00000000), ref: 039B430E
                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,039B4574), ref: 039B431F
                                                              • GetProcAddress.KERNEL32(00000000), ref: 039B4322
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,039B4574), ref: 039B43A4
                                                              • GetCurrentProcess.KERNEL32(039B4574,00000000,00000000,00000002,?,?,?,?,039B4574), ref: 039B43C0
                                                              • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,039B4574), ref: 039B43CF
                                                              • CloseHandle.KERNEL32(039B4574,?,?,?,?,039B4574), ref: 039B43FF
                                                              • GetCurrentProcess.KERNEL32(039B4574,00000000,00000000,00000001,?,?,?,?,039B4574), ref: 039B440D
                                                              • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,039B4574), ref: 039B441C
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,039B4574), ref: 039B442F
                                                              • CloseHandle.KERNEL32(000000FF), ref: 039B4452
                                                              • CloseHandle.KERNEL32(?), ref: 039B445A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                                                              • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                                                              • API String ID: 3110323036-2044536123
                                                              • Opcode ID: 7ffc83c57fee3bc4f800c237e79b87d9c608bbcbc9bac80e11e661089cdbc133
                                                              • Instruction ID: 981b60742e6bea0daef54f87a5dd4e216e5d95f47d5eadf03f8e6fff6ab8d0e6
                                                              • Opcode Fuzzy Hash: 7ffc83c57fee3bc4f800c237e79b87d9c608bbcbc9bac80e11e661089cdbc133
                                                              • Instruction Fuzzy Hash: 9641C371A00219ABCF10EBE68E84AEFBBBDEF84250F184165E910E7181DB70C950DBA0
                                                              Function 00443930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                              • String ID: bad locale name
                                                              • API String ID: 3904239083-1405518554
                                                              • Opcode ID: b691abc5455300fbe7a4ce1ab45e2947eb6908e31ca0da38e978242513bef64a
                                                              • Instruction ID: 1ef06dc760a990f93291a8d6413eb256d9f02161f261841dc00ce2ebc611f223
                                                              • Opcode Fuzzy Hash: b691abc5455300fbe7a4ce1ab45e2947eb6908e31ca0da38e978242513bef64a
                                                              • Instruction Fuzzy Hash: 4F214FB0904149EBDF04EB98C9917AEBB71BF44308F54455DF512273C2CBB95A04D769
                                                              Function 039B2991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                                                              • API String ID: 1302938615-1267642376
                                                              • Opcode ID: aa1fa6b53a5aff52aba4dc4e5279e2cb459c2eecc5f3bd27a7dc4002b9fa506c
                                                              • Instruction ID: 09b9edd83976485b604f4185c5b09edd2466e0e06fb7f27d47ee1b2b23f8b299
                                                              • Opcode Fuzzy Hash: aa1fa6b53a5aff52aba4dc4e5279e2cb459c2eecc5f3bd27a7dc4002b9fa506c
                                                              • Instruction Fuzzy Hash: 08916E706043078FDB25CF28C5846AAFBF9EF86284F184D6EE4DA87651DB70E881CB51
                                                              Function 004A32E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • type_info::operator==.LIBVCRUNTIME ref: 004A3400
                                                              • ___TypeMatch.LIBVCRUNTIME ref: 004A350E
                                                              • _UnwindNestedFrames.LIBCMT ref: 004A3660
                                                              • CallUnexpected.LIBVCRUNTIME ref: 004A367B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 2751267872-393685449
                                                              • Opcode ID: f56d2e64416c5085d4758e400d489c84243054072d1bdd17cd4a034d0b1da4a5
                                                              • Instruction ID: 85a470eb608d60d125ffa8afe7aa27320fcfe8685929ee055a9075e8c313f562
                                                              • Opcode Fuzzy Hash: f56d2e64416c5085d4758e400d489c84243054072d1bdd17cd4a034d0b1da4a5
                                                              • Instruction Fuzzy Hash: 57B18A71C00209EFCF25DF99C9419AEBBB5AF2A316B14445BF8016B302E739DA51CF99
                                                              Function 004B1338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3907804496
                                                              • Opcode ID: 58e889470fbbfcd5722aa32f79d4f967998155f911d7dd385f2e72d6350f7c2e
                                                              • Instruction ID: 5e480d69ce01fd1f93e270ac80e3ad2f601940ebb1c03fda659a57e1d39feb6c
                                                              • Opcode Fuzzy Hash: 58e889470fbbfcd5722aa32f79d4f967998155f911d7dd385f2e72d6350f7c2e
                                                              • Instruction Fuzzy Hash: D2B12670E04248AFDF11DF99C8A1BEE7BB1AF95304F58415AE901973A1C7789D42CBB8
                                                              Function 004A2DB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 004A2DE7
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 004A2DEF
                                                              • _ValidateLocalCookies.LIBCMT ref: 004A2E78
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 004A2EA3
                                                              • _ValidateLocalCookies.LIBCMT ref: 004A2EF8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: 263aada18d256761940b6f32bc6396170865e7840a4ba462dbdace49dcbd4ef2
                                                              • Instruction ID: 64bcf85c0c213ac5f52408347dd9fc5a5d68131968d4c4acdebf8155db64b9fb
                                                              • Opcode Fuzzy Hash: 263aada18d256761940b6f32bc6396170865e7840a4ba462dbdace49dcbd4ef2
                                                              • Instruction Fuzzy Hash: E041D130A002099BCF10DF6DC884A9FBBB5BF16318F14815AF814AB392D779DE51DB99
                                                              Function 039B1F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserDefaultUILanguage.KERNEL32 ref: 039B1F90
                                                              • GetKeyboardLayoutList.USER32(00000032,?), ref: 039B1FF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: DefaultKeyboardLanguageLayoutListUser
                                                              • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                                              • API String ID: 167087913-619012376
                                                              • Opcode ID: ba89b91df31036bd37b2261466bee75b6fc16328bf9f92d96da1e5afad5831b9
                                                              • Instruction ID: 666982d2855060cf0b5a7ea3082fb590e797bf46a90079670c2d0cf2131f0df0
                                                              • Opcode Fuzzy Hash: ba89b91df31036bd37b2261466bee75b6fc16328bf9f92d96da1e5afad5831b9
                                                              • Instruction Fuzzy Hash: F931E014E08288AAEB01DFE4E5017FDBB70EF54702F00549AF588FA282D77D4B45C76A
                                                              Function 004ADD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,69EB2EFE,?,004ADEA3,00000000,004413A5,00000000,00000000), ref: 004ADE55
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3664257935-537541572
                                                              • Opcode ID: 7e00d1bcea781092bd3a61affc011c41f101ca729b310945416bc9902555a897
                                                              • Instruction ID: 77f672e9bd6a10ef5c3953be822f611e1497c4b23038e422033033850f97dda5
                                                              • Opcode Fuzzy Hash: 7e00d1bcea781092bd3a61affc011c41f101ca729b310945416bc9902555a897
                                                              • Instruction Fuzzy Hash: B221C371E00610ABCB21AB619C45B9B3768EB737A0F240122E957AF790D738ED01C6ED
                                                              Function 0049E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 0049E51D
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0049E527
                                                              • int.LIBCPMTD ref: 0049E53E
                                                                • Part of subcall function 004446D0: std::_Lockit::_Lockit.LIBCPMT ref: 004446E6
                                                                • Part of subcall function 004446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00444710
                                                              • codecvt.LIBCPMT ref: 0049E561
                                                              • std::_Facet_Register.LIBCPMT ref: 0049E578
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0049E598
                                                              • Concurrency::cancel_current_task.LIBCPMTD ref: 0049E5A5
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                              • String ID:
                                                              • API String ID: 2133458128-0
                                                              • Opcode ID: 5ff8f6329936d80a8df1aecd3f8d88d2cc3cd5c232d68c7862d9bb0deaf9b8a3
                                                              • Instruction ID: 68d383395796aa3edf9612f0f943cc16087295d75fe7a1a5b4d5d0e5143f5133
                                                              • Opcode Fuzzy Hash: 5ff8f6329936d80a8df1aecd3f8d88d2cc3cd5c232d68c7862d9bb0deaf9b8a3
                                                              • Instruction Fuzzy Hash: 4711D2B19002149BCB10EFA6D8467AE7BB5FF84329F10051FF401A7291DFBCAE018B98
                                                              Function 0049D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 0049D7AF
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0049D7B9
                                                              • int.LIBCPMTD ref: 0049D7D0
                                                                • Part of subcall function 004446D0: std::_Lockit::_Lockit.LIBCPMT ref: 004446E6
                                                                • Part of subcall function 004446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00444710
                                                              • codecvt.LIBCPMT ref: 0049D7F3
                                                              • std::_Facet_Register.LIBCPMT ref: 0049D80A
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0049D82A
                                                              • Concurrency::cancel_current_task.LIBCPMTD ref: 0049D837
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                              • String ID:
                                                              • API String ID: 2133458128-0
                                                              • Opcode ID: c25ea6ee85b8aa025b8148da2e1d105122c1c841143bba01054a127370be6973
                                                              • Instruction ID: 92716285d2356e2ea198f61f3a7f80f7064539fe08d7c9bae845080323cabe74
                                                              • Opcode Fuzzy Hash: c25ea6ee85b8aa025b8148da2e1d105122c1c841143bba01054a127370be6973
                                                              • Instruction Fuzzy Hash: 0401AD79D001199BCF00EBA59846AAEBB75AF84314F14402EE4116B292CF7C9A05CBD9
                                                              Function 0049F8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0049F927
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0049F992
                                                              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0049F9AF
                                                              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0049F9EE
                                                              • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0049FA4D
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0049FA70
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiStringWide
                                                              • String ID:
                                                              • API String ID: 2829165498-0
                                                              • Opcode ID: 14041fcdef90a47c0c4bca32831818e8e3c047625aa76e8a45d7875aeb47da45
                                                              • Instruction ID: 0db2293a609954a183e98533524147a90811c784917bb906069180b07142d519
                                                              • Opcode Fuzzy Hash: 14041fcdef90a47c0c4bca32831818e8e3c047625aa76e8a45d7875aeb47da45
                                                              • Instruction Fuzzy Hash: 9651AE72A0020ABBDF209FA5CC85FAB7FA9EF44754F14413AF908E6250D7788C19CB58
                                                              Function 039B3084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x
                                                              • API String ID: 0-2363233923
                                                              • Opcode ID: 396997b239e8a6230b88fbf284476595a183379a29cc1738e389cb20b1f21c31
                                                              • Instruction ID: 45464d780e140bb1e08c49456f34a18c175369cbbf7fe5b523e7ce2a6f6d9fd0
                                                              • Opcode Fuzzy Hash: 396997b239e8a6230b88fbf284476595a183379a29cc1738e389cb20b1f21c31
                                                              • Instruction Fuzzy Hash: 17029E78E04259EFCB45CF98CA84AEEB7F5FF09304F048856E866EB250D730AA51CB51
                                                              Function 004A2FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,004A2FA1,004A16DC,004A0672), ref: 004A2FB8
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004A2FC6
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004A2FDF
                                                              • SetLastError.KERNEL32(00000000,004A2FA1,004A16DC,004A0672), ref: 004A3031
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: e17db144ee1a80b714de5bd83b51c4d627ed83037d1076cc6e43318617807126
                                                              • Instruction ID: a0247fba452bd02e98decfc1a62d65696cc396cfceadbf0819469d39df60542a
                                                              • Opcode Fuzzy Hash: e17db144ee1a80b714de5bd83b51c4d627ed83037d1076cc6e43318617807126
                                                              • Instruction Fuzzy Hash: 8301283210D3215E96A42EB67D85F5F6658EBF37B9720033FF110551E0EF994C14624D
                                                              Function 004A80CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,69EB2EFE,?,?,00000000,004B8AEC,000000FF,?,004A80A8,?,?,004A807C,00000000), ref: 004A8101
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004A8113
                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,004B8AEC,000000FF,?,004A80A8,?,?,004A807C,00000000), ref: 004A8135
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: ab414574a2df6f87c79ae7f60d77157256705674804544315d78f770972f3a64
                                                              • Instruction ID: 1d5ee52bfb583cdd8586b55e850c4dade508c56ac148197cef72921bbc0018d6
                                                              • Opcode Fuzzy Hash: ab414574a2df6f87c79ae7f60d77157256705674804544315d78f770972f3a64
                                                              • Instruction Fuzzy Hash: 29016771510529EFDB119F55CC05BAFBBB9FB09715F00063AF911A2290DB789D01CAA8
                                                              Function 00441E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00441E40
                                                              • int.LIBCPMTD ref: 00441E59
                                                                • Part of subcall function 004446D0: std::_Lockit::_Lockit.LIBCPMT ref: 004446E6
                                                                • Part of subcall function 004446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00444710
                                                              • Concurrency::cancel_current_task.LIBCPMTD ref: 00441E99
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00441F01
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                              • String ID:
                                                              • API String ID: 3053331623-0
                                                              • Opcode ID: 8dfc916ee1211c630d5c20adb34ff7eaa3907d89528cc25c3fb9b4a3e65114d8
                                                              • Instruction ID: d050d241ec816934afb1ac0929d3497c3e50be00992078b84bc60a6ba8cbab71
                                                              • Opcode Fuzzy Hash: 8dfc916ee1211c630d5c20adb34ff7eaa3907d89528cc25c3fb9b4a3e65114d8
                                                              • Instruction Fuzzy Hash: 29312CB4D00209DFCB04DF95D892BEEBBB4BF58314F20422EE81567391DB386A44CBA5
                                                              Function 00441F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00441F40
                                                              • int.LIBCPMTD ref: 00441F59
                                                                • Part of subcall function 004446D0: std::_Lockit::_Lockit.LIBCPMT ref: 004446E6
                                                                • Part of subcall function 004446D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00444710
                                                              • Concurrency::cancel_current_task.LIBCPMTD ref: 00441F99
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00442001
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                              • String ID:
                                                              • API String ID: 3053331623-0
                                                              • Opcode ID: 1436129be67b8f6caec7b5d7bb2f36ee5d5fbf411cebe2ced3955327c229bd69
                                                              • Instruction ID: 5e1efafeb10fb02d528f54ed4a5983ad5adcec8d989b671f7914e25fb593faa4
                                                              • Opcode Fuzzy Hash: 1436129be67b8f6caec7b5d7bb2f36ee5d5fbf411cebe2ced3955327c229bd69
                                                              • Instruction Fuzzy Hash: 85312BB5D00209DFCB14EF95D892BEEBBB0BF58314F20422EE41167391DB386A45CBA5
                                                              Function 0049CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 0049CE44
                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0049CE4F
                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0049CEBD
                                                                • Part of subcall function 0049CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0049CFB8
                                                              • std::locale::_Setgloballocale.LIBCPMT ref: 0049CE6A
                                                              • _Yarn.LIBCPMT ref: 0049CE80
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                              • String ID:
                                                              • API String ID: 1088826258-0
                                                              • Opcode ID: cfe5595b3ade6b75895c6edbf8ca5480ed75a039ac3582b34ba255b884e2fc61
                                                              • Instruction ID: b6eb8ff29a706ef12460e5f78db2618ea82045ed96d1bc4e8f509bf2da177cf5
                                                              • Opcode Fuzzy Hash: cfe5595b3ade6b75895c6edbf8ca5480ed75a039ac3582b34ba255b884e2fc61
                                                              • Instruction Fuzzy Hash: 61017C75A001119BCB06AF21E8A6A7D7B66FF89344B18402EE90257381CF7C6E06CBDD
                                                              Function 004A4072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004A4023,00000000,?,004CB824,?,?,?,004A41C6,00000004,InitializeCriticalSectionEx,004BB270,InitializeCriticalSectionEx), ref: 004A407F
                                                              • GetLastError.KERNEL32(?,004A4023,00000000,?,004CB824,?,?,?,004A41C6,00000004,InitializeCriticalSectionEx,004BB270,InitializeCriticalSectionEx,00000000,?,004A3F7D), ref: 004A4089
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004A40B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID: api-ms-
                                                              • API String ID: 3177248105-2084034818
                                                              • Opcode ID: 9fdd23b427ffded24099d576a1c2a3b7ecceaf63df1d7e8a3dbde054fda3893c
                                                              • Instruction ID: c654314083ae58b78da311c1d5bdc527d943dfe3fa07e41c07ef2897478ec11a
                                                              • Opcode Fuzzy Hash: 9fdd23b427ffded24099d576a1c2a3b7ecceaf63df1d7e8a3dbde054fda3893c
                                                              • Instruction Fuzzy Hash: 3AE04830684204BBDF202B61DC06B5D3B949BA1B55F104031FF0CE41E1D7A6DC5199DD
                                                              Function 004AF497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleOutputCP.KERNEL32(69EB2EFE,00000000,00000000,00000000), ref: 004AF4FA
                                                                • Part of subcall function 004B1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004AEF8D,?,00000000,-00000008), ref: 004B1F1E
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004AF74C
                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004AF792
                                                              • GetLastError.KERNEL32 ref: 004AF835
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                              • String ID:
                                                              • API String ID: 2112829910-0
                                                              • Opcode ID: bba390c0f83e5522f6188355e95e0dffc20d335f690503eccdd9eda676525885
                                                              • Instruction ID: 17941192172d25d26d0c653571346b8ef7f4e61ec851dcd5680d39ec1ea2d9c1
                                                              • Opcode Fuzzy Hash: bba390c0f83e5522f6188355e95e0dffc20d335f690503eccdd9eda676525885
                                                              • Instruction Fuzzy Hash: 57D17AB5D002489FCB15CFE8D8809EEBBB5FF1A304F28412AE816EB355D734A946CB54
                                                              Function 004A308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: AdjustPointer
                                                              • String ID:
                                                              • API String ID: 1740715915-0
                                                              • Opcode ID: 108dd6a1d85666fb4d9133cec829f9fda455bb04ea68ff16547bf404bcd85091
                                                              • Instruction ID: 9041b4f79663a504134b89d80e78b4a2aa01dfb4b38543f0fe3c9f8fab6a9721
                                                              • Opcode Fuzzy Hash: 108dd6a1d85666fb4d9133cec829f9fda455bb04ea68ff16547bf404bcd85091
                                                              • Instruction Fuzzy Hash: 7B51E0726052069FDB288F11D841BABB7A4EF66716F14442FF80287391F739EE41C798
                                                              Function 004B227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004B1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004AEF8D,?,00000000,-00000008), ref: 004B1F1E
                                                              • GetLastError.KERNEL32 ref: 004B22DE
                                                              • __dosmaperr.LIBCMT ref: 004B22E5
                                                              • GetLastError.KERNEL32(?,?,?,?), ref: 004B231F
                                                              • __dosmaperr.LIBCMT ref: 004B2326
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 1913693674-0
                                                              • Opcode ID: aff7cc41bc9d41edfb31feb791dd77893ee45eb9d37b3ceb96a1f7b33998e5c9
                                                              • Instruction ID: ad531cb16acc5cf106267e2f244b8d52d314bc5b10219c9d1c5ce3a764c087c0
                                                              • Opcode Fuzzy Hash: aff7cc41bc9d41edfb31feb791dd77893ee45eb9d37b3ceb96a1f7b33998e5c9
                                                              • Instruction Fuzzy Hash: BA21D631600205AFDF24AF728A808AB77A8EF553683108A1EFC19D7240D7BCEC018778
                                                              Function 004A7478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7bbdaa477cf86140b246cef32dba879e50f57c12bdefd0afea29440e640a622
                                                              • Instruction ID: 5e98fea11e84eaf3b5d5aaf80ef618da89e769a779b5785bbf767389db34ab17
                                                              • Opcode Fuzzy Hash: c7bbdaa477cf86140b246cef32dba879e50f57c12bdefd0afea29440e640a622
                                                              • Instruction Fuzzy Hash: 26210731A08105BFCF30AF76DC5086B7B69EF66368710452AF814C7650D738DC0087A4
                                                              Function 004B321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 004B3226
                                                                • Part of subcall function 004B1EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004AEF8D,?,00000000,-00000008), ref: 004B1F1E
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004B325E
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004B327E
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 158306478-0
                                                              • Opcode ID: 4f8f35bcc657d6aca8f732b936adfeaa169cd58e6636fcb7d1d448fbbe6d005b
                                                              • Instruction ID: d0ee18012c99a1a339237e52a5658bce1d994cb02f598e8bde4e0ccd5ff1d795
                                                              • Opcode Fuzzy Hash: 4f8f35bcc657d6aca8f732b936adfeaa169cd58e6636fcb7d1d448fbbe6d005b
                                                              • Instruction Fuzzy Hash: CA11A1B55015157F7B192BBB5CCECEF39ACDE993A971005AAFA02D1100EB28DE01917A
                                                              Function 004B7C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,004B6B6B,00000000,00000001,0000000C,00000000,?,004AF889,00000000,00000000,00000000), ref: 004B7C52
                                                              • GetLastError.KERNEL32(?,004B6B6B,00000000,00000001,0000000C,00000000,?,004AF889,00000000,00000000,00000000,00000000,00000000,?,004AFE2C,?), ref: 004B7C5E
                                                                • Part of subcall function 004B7C24: CloseHandle.KERNEL32(FFFFFFFE,004B7C6E,?,004B6B6B,00000000,00000001,0000000C,00000000,?,004AF889,00000000,00000000,00000000,00000000,00000000), ref: 004B7C34
                                                              • ___initconout.LIBCMT ref: 004B7C6E
                                                                • Part of subcall function 004B7BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004B7C15,004B6B58,00000000,?,004AF889,00000000,00000000,00000000,00000000), ref: 004B7BF9
                                                              • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,004B6B6B,00000000,00000001,0000000C,00000000,?,004AF889,00000000,00000000,00000000,00000000), ref: 004B7C83
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                              • String ID:
                                                              • API String ID: 2744216297-0
                                                              • Opcode ID: 72cb5a9d25278edfc803c4e0f2b1b9ae7367b5f6471a52ca37af0c0f01c567cc
                                                              • Instruction ID: 28a0193636e00772b03371d606d9575ab658fcadfeb045442a326fd56fdebd3d
                                                              • Opcode Fuzzy Hash: 72cb5a9d25278edfc803c4e0f2b1b9ae7367b5f6471a52ca37af0c0f01c567cc
                                                              • Instruction Fuzzy Hash: 58F03736504119BBDF221FD5DC08DDA3F35FB843A4F054565FA0985130C6368C20DBA9
                                                              Function 039B2C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 039B3508: EnterCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B3512
                                                                • Part of subcall function 039B3508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039B51B7), ref: 039B351B
                                                                • Part of subcall function 039B3508: RtlAllocateHeap.NTDLL(00000000,?,?,039B51B7), ref: 039B3522
                                                                • Part of subcall function 039B3508: LeaveCriticalSection.KERNEL32(039B84D4,?,?,039B51B7), ref: 039B352B
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 039B2E3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2672890326.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 039B0000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_39b0000_56AD.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                                              • String ID: x
                                                              • API String ID: 1990697408-2363233923
                                                              • Opcode ID: 3ea2fec248ecb43d4f3b181917f15dfb389675f847a68f08f9e06178d67ff199
                                                              • Instruction ID: 3ed935f565aee6638335818b9aa16f520a1fbb068bd6a1bc260d094c21efd6a5
                                                              • Opcode Fuzzy Hash: 3ea2fec248ecb43d4f3b181917f15dfb389675f847a68f08f9e06178d67ff199
                                                              • Instruction Fuzzy Hash: 8D02AE75904249EFCF05CF98DA84AEEBBF4FF09354F148899E895EB250D730AA81CB51
                                                              Function 004ABBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 004ABC8D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__start
                                                              • String ID: pow
                                                              • API String ID: 3213639722-2276729525
                                                              • Opcode ID: 2f94797dc3c0b0894bc21ed7232763e4dc3cc0190ecfb0990235ff1d7d321c29
                                                              • Instruction ID: d1d87ec2ce211d821bdb658af770b914ecd72ffc4705d35d68f6333e3cc94c67
                                                              • Opcode Fuzzy Hash: 2f94797dc3c0b0894bc21ed7232763e4dc3cc0190ecfb0990235ff1d7d321c29
                                                              • Instruction Fuzzy Hash: 00513A6190520196DB117714D9C177B2B90DB72720F204D6FE496823EAEF3D8CD5AACE
                                                              Function 004A3686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • EncodePointer.KERNEL32(00000000,?), ref: 004A36AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2658327284.0000000000441000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00440000, based on PE: true
                                                              • Associated: 0000000C.00000002.2658294770.0000000000440000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658443743.00000000004B9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2658481453.00000000004CA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660284506.00000000004CB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 0000000C.00000002.2660624152.00000000004CC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_440000_56AD.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer
                                                              • String ID: MOC$RCC
                                                              • API String ID: 2118026453-2084237596
                                                              • Opcode ID: 475b32725375bc9ba17cf9a8a936aa3e9b14a65d9927f0438f7851f78b050592
                                                              • Instruction ID: 1f8ec67e6b2d4eb32fcd2d855b68e66d71af862fae1b730b8c6900b5129dbcf4
                                                              • Opcode Fuzzy Hash: 475b32725375bc9ba17cf9a8a936aa3e9b14a65d9927f0438f7851f78b050592
                                                              • Instruction Fuzzy Hash: F841ACB1900209AFCF15DF98CD81AEEBBB1FF59305F14819AF90467261E339AE50DB58